Skip to content

Hide Navigation Hide TOC

Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5)

The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples:

  • Windows Systems
    • Event ID: 4624
      • Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP).
      • Account Name: JohnDoe
      • Source Network Address: 192.168.1.100
      • Authentication Package: NTLM
  • Linux Systems
    • /var/log/utmp or /var/log/wtmp:
      • Log format: login user [tty] from [source_ip]
      • User: jane
      • IP: 10.0.0.5
      • Timestamp: 2024-12-28 08:30:00
  • macOS Systems
    • /var/log/asl.log or unified logging framework:
      • Log: com.apple.securityd: Authentication succeeded for user 'admin'
  • Cloud Environments
    • Azure Sign-In Logs:
      • Activity: Sign-in successful
      • Client App: Browser
      • Location: Unknown (Country: X)
  • Google Workspace
    • Activity: Login
      • Event Type: successful_login
      • Source IP: 203.0.113.55

This data component can be collected through the following measures:

  • Windows Systems
    • Event Logs: Monitor Security Event Logs using Event ID 4624 for successful logons.
    • PowerShell Example: Get-EventLog -LogName Security -InstanceId 4624
  • Linux Systems
    • Log Files: Monitor /var/log/utmp, /var/log/wtmp, or /var/log/auth.log for logon events.
    • Tools: Use last or who commands to parse login records.
  • macOS Systems
    • Log Sources: Monitor /var/log/asl.log or Apple Unified Logs using the log show command.
    • Command Example: log show --predicate 'eventMessage contains "Authentication succeeded"' --info
  • Cloud Environments
    • Azure AD: Use Azure Monitor to analyze sign-in logs. Example CLI Query: az monitor log-analytics query -w <workspace_id> --analytics-query "AzureActivity | where ActivityStatus == 'Success' and OperationName == 'Sign-in'"
    • Google Workspace: Enable and monitor Login Audit logs from the Admin Console.
    • Office 365: Use Audit Log Search in Microsoft 365 Security & Compliance Center for login-related events.
  • Network Logs
    • Sources: Network authentication mechanisms (e.g., RADIUS or TACACS logs).
  • Enable EDR Monitoring:
    • EDR tools monitor logon session activity, including the creation of new sessions.
    • Configure alerts for: Suspicious logon types (e.g., Logon Type 10 for RDP or Type 5 for Service). Logons from unusual locations, accounts, or devices.
    • Leverage EDR telemetry for session attributes like source IP, session duration, and originating process.
Cluster A Galaxy A Cluster B Galaxy B Level
Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Cloud Service Discovery - T1526 (e24fcba8-2557-4442-a139-1ee2f2e784db) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern 1
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771) Attack Pattern 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component 1
Multi-Factor Authentication Request Generation - T1621 (954a1639-f2d6-407d-aef3-4917622ca493) Attack Pattern Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 1
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component 1
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Direct Cloud VM Connections - T1021.008 (45241b9e-9bbc-4826-a2cc-78855e51ca09) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Confluence - T1213.001 (7ad38ef1-381a-406d-872a-38b136eb5ecc) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 1
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc) Attack Pattern Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Cloud Service Dashboard - T1538 (e49920b0-6c54-40c1-9571-73723653205f) Attack Pattern 1
Web Cookies - T1606.001 (861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a) Attack Pattern Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component 1
Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component 1
Customer Relationship Management Software - T1213.004 (bbfbb096-6561-4d7d-aa2c-a5ee8e44c696) Attack Pattern Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component 1
Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component 1
Logon Session Creation (9ce98c86-8d30-4043-ba54-0784d478d0b5) mitre-data-component Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 2
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2) Attack Pattern Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 2
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Pluggable Authentication Modules - T1556.003 (06c00069-771a-4d57-8ef5-d3718c1a8771) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Direct Cloud VM Connections - T1021.008 (45241b9e-9bbc-4826-a2cc-78855e51ca09) Attack Pattern 2
Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Confluence - T1213.001 (7ad38ef1-381a-406d-872a-38b136eb5ecc) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0) Attack Pattern 2
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Domain Controller Authentication - T1556.001 (d4b96d2c-1032-4b22-9235-2b5b649d0605) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Web Cookies - T1606.001 (861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a) Attack Pattern Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c) Attack Pattern 2
Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Customer Relationship Management Software - T1213.004 (bbfbb096-6561-4d7d-aa2c-a5ee8e44c696) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2