Skip to content
Threat Feed
medium advisory

Potential Account Takeover via Logon from New Source IP

Atypical login activity where a user account, normally logging in from a high-volume, single source IP, suddenly authenticates from a different IP address, potentially indicating account takeover or stolen credentials.

This detection identifies a suspicious logon pattern indicative of potential account compromise. The rule focuses on scenarios where a user account, consistently logging in from a single IP address with high frequency, suddenly starts logging in from a different IP address. This deviation could signal an attacker using stolen credentials from a new location, bypassing typical authentication controls. The detection logic is designed to trigger when a user account exceeds a threshold of 1000 logons from a primary IP and then logs in from a secondary IP with a significantly lower logon count (between 1 and 5). The rule is designed to detect activity across Windows environments, leveraging Windows Security Event Logs.

Attack Chain

  1. The attacker gains access to valid user credentials through phishing, malware, or credential stuffing.
  2. The attacker attempts to authenticate to a Windows system or service using the compromised credentials.
  3. A successful logon event (Event ID 4624) is generated in the Windows Security Event Log. The logon type is either Network or RemoteInteractive.
  4. The security monitoring system ingests and analyzes the logon event data, specifically user name, source IP, and logon counts.
  5. The detection rule identifies a user account with a history of high-volume logons from a single IP address (>=1000).
  6. The detection rule detects the same user account logging in from a new IP address with a significantly lower logon count (between 1 and 5).
  7. The system flags the event as a potential account takeover.
  8. The attacker gains unauthorized access to systems and data, potentially leading to privilege escalation or data exfiltration.

Impact

A successful account takeover can lead to unauthorized access to sensitive systems and data. An attacker may escalate privileges, install malware, exfiltrate data, or disrupt services. The impact can range from data breaches and financial loss to reputational damage and operational downtime. This can lead to lateral movement across the network and further compromise of other systems and accounts.

Recommendation

  • Deploy the Sigma rule Potential Account Takeover - New Source IP to your SIEM and tune the max_logon and min_logon thresholds to fit your environment and reduce false positives.
  • Investigate alerts generated by the Potential Account Takeover - New Source IP rule by confirming with the account owner whether they recently logged in from the new source IP.
  • Check the new source IP for reputation and geography, and correlate with other alerts for the same user or source IP based on the investigation steps in the rule note.
  • Enable and enforce multi-factor authentication (MFA) to mitigate the risk of credential-based attacks.
  • Monitor Windows Security Event Logs (Data Source: Windows Security Event Logs) for successful logon events (Event ID 4624) to enable the rules to function.

Detection coverage 2

Potential Account Takeover - New Source IP

medium

Detects a user account logging in from a new source IP after a history of high-volume logins from a single IP, indicating potential account takeover.

sigma tactics: credential_access techniques: T1078 sources: authentication, windows

Potential Account Takeover - High Logon Count Anomaly

low

Detects an unusual number of logon attempts for a specific user, potentially indicating credential compromise or brute-force attack.

sigma tactics: credential_access techniques: T1110 sources: authentication, windows

Detection queries are available on the platform. Get full rules →