Potential Account Takeover - Logon from New Source IP

This detection rule identifies potential account takeover activity by analyzing Windows Security Event Logs for unusual login patterns. Specifically, it looks for user accounts that typically log in with high frequency from a single source IP address but then exhibit successful logins from a different source IP address with significantly lower frequency. This pattern may indicate that an attacker has compromised the account credentials and is accessing the network from a new, potentially malicious, location. This activity is detected by analyzing Windows Security Event ID 4624 events related to successful logins. The rule is designed to trigger when a user account logs in from a new IP address after establishing a pattern of high-volume logins from a primary IP address.

Attack Chain

1. Initial Access: The attacker gains access to valid user credentials through methods such as phishing, credential stuffing, or malware. (T1078)
2. Successful Logon: The attacker uses the compromised credentials to successfully log in to a Windows system from a new IP address (Event ID 4624, Logon Type Network/RemoteInteractive).
3. Lateral Movement (Possible): Once authenticated, the attacker may attempt to move laterally within the network to access additional resources or systems.
4. Privilege Escalation (Possible): The attacker may attempt to escalate their privileges to gain administrative access to the system or domain (TA0004).
5. Data Exfiltration (Possible): The attacker may attempt to exfiltrate sensitive data from the compromised system or network.
6. Persistence (Possible): The attacker may attempt to establish persistence mechanisms to maintain access to the system or network over time.

Impact

A successful account takeover can have significant consequences, including unauthorized access to sensitive data, lateral movement within the network, privilege escalation, and data exfiltration. The rule specifically looks for logon patterns indicative of account takeover. If an account is taken over, attackers could potentially gain access to systems and data the user has rights to access.

Recommendation

• Deploy the Sigma rule provided below to your SIEM and tune for your environment, paying close attention to the max_logon threshold.
• Enable Audit Logon within Windows to ensure the events needed for detection are available as mentioned in the setup instructions.
• Investigate any alerts generated by the Sigma rule by confirming with the account owner if they logged in from the new source IP.
• Check the new source IP for reputation, geography, and whether it is expected as described in the rule’s triage steps.
• Correlate any generated alerts with other alerts for the same user or source IP such as logon failures, password changes, or MFA changes as part of your investigation.