title: Admin User Remote Logon
id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
description: Detect remote login by Administrator user (depending on internal pattern).
references:
    - https://car.mitre.org/wiki/CAR-2016-04-005
tags:
    - attack.lateral_movement
    - attack.t1078.001
    - attack.t1078.002
    - attack.t1078.003
    - car.2016-04-005
status: experimental
author: juju4
date: 2017/10/29
modified: 2021/07/07
logsource:
    product: windows
    service: security
    definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
detection:
    selection:
        EventID: 4624
        LogonType: 10
        AuthenticationPackageName: Negotiate
        TargetUserName|startswith: 'Admin'
    condition: selection
falsepositives:
    - Legitimate administrative activity.
level: low