Identifying Interactive or RemoteInteractive Session From Service Account

KQL Queries:

KQL query for discovering Interactive or RemoteInteractive logon sessions initiated by service accounts using the DeviceLogonEventstable in Microsoft Sentinel or Azure Log Analytics:

// Define a list of known service account patterns (customize as needed)
let ServiceAccountPatterns = dynamic(["svc_", "service_", "sa_"]);
// Query DeviceLogonEvents for Interactive or RemoteInteractive logon types
DeviceLogonEvents
| where LogonType in ("Interactive", "RemoteInteractive", "CachedInteractive")  // Filter for desired logon types
| extend IsServiceAccount = iff(AccountName matches regex @"^(svc_|service_|sa_).*", true, false) // Identify service accounts
| where IsServiceAccount == true // Filter only service accounts
| summarize
    TotalLogons = count(),
    UniqueDevices = dcount(DeviceName),
    FailedAttempts = countif(ActionType == "LogonFailed"),
    SuccessfulLogons = countif(ActionType == "LogonSuccess")
    by AccountName, LogonType, bin(Timestamp, 1h)
| order by TotalLogons desc
| project Timestamp, AccountName, LogonType, TotalLogons, SuccessfulLogons, FailedAttempts, UniqueDevices

Key Details:

  1. Service Account Identification:

    • ServiceAccountPatterns: A list of patterns that match typical service account naming conventions (e.g., svc_, service_, sa_).

    • Uses matches regex to check if the AccountName matches these patterns. Customise patterns to fit your organisation.

  2. Logon Type Filtering:

    • Filters for Interactive and RemoteInteractive logon types, which are uncommon for service accounts.

  3. Logon Status:

    • Separates successful and failed logon attempts using countif(LogonType == "LogonSuccess") and countif(LogonType == "LogonFailed").

  4. Aggregation:

    • Groups by AccountName and LogonType to summarise:

      • TotalLogons: Total logon attempts.

      • SuccessfulLogons: Number of successful logons.

      • FailedAttempts: Number of failed logon attempts.

      • UniqueDevices: Number of unique devices involved.

  5. Time Binning:

    • Group results into 1-hour intervals using bin(Timestamp, 1h).

  6. Results:

    • Displays key fields, sorted by the number of total logon attempts:

      • Timestamp, AccountName, LogonType, TotalLogons, SuccessfulLogons, FailedAttempts, and UniqueDevices.

Customisation:

  • Service Account Patterns:

    • Modify ServiceAccountPatterns to include all patterns used in your environment.

  • Time Range:

    • Add a specific time filter, e.g., | where Timestamp between (startTime .. endTime).

Use Case:

Identifies potential misuse of service accounts, as they should not typically perform interactive or remote interactive logons.

Splunk Query

Splunk query to discover Interactive or RemoteInteractive logon sessions initiated by service accounts. This query works with Windows Security Event Logs or similar authentication-related data sources. Note: The fields in your Splunk logs may differ slightly; for example, AccountName may be displayed as Account_Name.

index=wineventlog sourcetype=WinEventLog EventCode=4624 
| eval LogonTypeDescription=case(
    LogonType=="2", "Interactive",
    LogonType=="10", "Remote Interactive",
    true(), "Other"
) 
| search LogonType IN (2, 10)  // Filter for Interactive and Remote Interactive logon types
| eval IsServiceAccount=if(match(AccountName, "^(svc_|service_|sa_|admin_).*"), "Yes", "No")  // Identify service accounts
| search IsServiceAccount="Yes"  // Retain only service accounts
| stats count AS TotalLogons, 
        count(eval(LogonStatus="Failure")) AS FailedLogons, 
        count(eval(LogonStatus="Success")) AS SuccessfulLogons, 
        dc(dest) AS UniqueDevices, 
        dc(AccountName) AS UniqueAccounts 
        by AccountName, LogonTypeDescription
| sort - TotalLogons
| table AccountName, LogonTypeDescription, TotalLogons, SuccessfulLogons, FailedLogons, UniqueDevices, UniqueAccounts

Query Details:

  1. Event Code Filtering:

    • EventCode=4624: Represents successful logon events.

    • If you want to include failed logons, use EventCode=4625.

  2. Logon Type Description:

    • Maps numeric LogonType values:

      • 2: Interactive logon.

      • 10: RemoteInteractive logon.

  3. Service Account Identification:

    • Uses match() to identify accounts matching service account naming conventions (svc_, service_, sa_, admin_). Modify as needed for your environment.

  4. Filtering for Service Accounts:

    • Filters the results to only include logons initiated by service accounts (IsServiceAccount="Yes").

  5. Statistics:

    • Aggregates logon events to show:

      • TotalLogons: Total logon attempts.

      • SuccessfulLogons: Successful logons.

      • FailedLogons: Failed logons (if EventCode=4625 is included).

      • UniqueDevices: Unique destination devices.

      • UniqueAccounts: Count of distinct service accounts involved.

  6. Output:

    • Displays the key details: AccountName, LogonTypeDescription, TotalLogons, SuccessfulLogons, FailedLogons, UniqueDevices, and UniqueAccounts.

Customisation:

  • Index and Sourcetype:

    • Replace index=your_index and sourcetype=your_sourcetype with the appropriate values for your data source.

  • Service Account Patterns:

    • Adjust the regex in match() to align with your organization's naming conventions.

  • Time Range:

    • Add a time filter such as earliest=-24h or use the Splunk time picker.

This query identifies anomalous use of service accounts in interactive or remote sessions, helping detect potential misuse or compromise.

Last updated