Skip to content
Threat Feed
medium advisory

Potential Account Takeover via Mixed Logon Types

A Windows account, usually a service account, exhibiting a sudden shift in logon type patterns may indicate account compromise and lateral movement.

This detection identifies a user account, often a service account, that typically logs in with high volume using a specific logon type but suddenly shows successful logons using a different logon type with low count. This anomalous behavior may signal account takeover or the use of stolen credentials from a new context, such as an interactive or network logon when only batch/service logons were expected. This is critical for defenders as compromised service accounts can lead to privilege escalation and lateral movement within the network. The detection logic is based on Windows Security Event Logs (Event ID 4624).

Attack Chain

  1. Initial Access: An attacker gains access to a valid user account’s credentials.
  2. Credential Compromise: The attacker compromises a service account’s credentials.
  3. Lateral Movement: The attacker attempts to move laterally within the network using the compromised credentials.
  4. Authentication: The attacker uses the stolen credentials to authenticate to a system using a previously unseen logon type.
  5. Privilege Escalation: The attacker leverages the service account permissions to escalate privileges.
  6. Resource Access: The attacker accesses sensitive resources using the compromised account.
  7. Data Exfiltration: The attacker exfiltrates sensitive data.

Impact

A successful account takeover can lead to significant damage, including data breaches, privilege escalation, and lateral movement within the network. If a service account is compromised, attackers can gain access to sensitive systems and data, potentially affecting hundreds or thousands of users or systems. The shift in logon types often goes unnoticed, enabling attackers to maintain persistence.

Recommendation

  • Enable Audit Logon to generate the necessary events for detection (reference: Setup section in content).
  • Deploy the Sigma rule “Potential Account Takeover - Mixed Logon Types” to your SIEM and tune the thresholds (max_logon, min_logon) based on your environment.
  • Investigate any alerts generated by the Sigma rule by confirming with the account owner or service owner whether the additional logon type is expected (reference: Investigation Guide section).
  • Implement multi-factor authentication (MFA) for all user accounts, including service accounts, to mitigate the risk of credential compromise.

Detection coverage 2

Potential Account Takeover - Mixed Logon Types

medium

Detects a user account with a high volume of logons using one logon type suddenly showing successful logons using a different logon type with a low count.

sigma tactics: privilege_escalation techniques: T1078 sources: authentication, windows

Anomalous Logon Type - Network Logon

medium

Detects anomalous network logon events (LogonType 3) for accounts that typically use other logon types.

sigma tactics: credential_access techniques: T1078 sources: authentication, windows

Detection queries are kept inside the platform. Get full rules →