Logon Sessions for Cyber Defenders

Logon sessions are created upon a user's successful logon and terminated upon logout. They provide a defensive capability by allowing security analysts to join related actions performed within the same logon session for detection and investigation purposes. Available telemetry on logon sessions is currently limited but can be found in Windows security events, Sysmon, and some EDR solutions. Practical examples were provided showing how logon session analysis could help detect credential dumping, privilege escalation, and lateral movement.

Uploaded by

Saggy K

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

162 views27 pages

Logon Sessions for Cyber Defenders

Uploaded by

Saggy K

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Once Upon a Login

How Logon Sessions Help Defenders See the Bigger Picture

About Me (@jsecurity101)
Consultant @SpecterOps/Defensive Security Researcher
• Detection, Threat Hunting, Compromise Assessments
• Windows Internals, All Things Data, Reverse Engineering
• Open-Source Author/Contributor
• Atomic Test Harnesses
• MSRPC-To-ATT&CK
• Windows APIs To Sysmon-Events
Formerly Sr. Threat Researcher @RedCanary
Host of the Detection: Challenging Paradigms Podcast
Overview
• The “Why”?
• What are logon sessions?
• Defensive Capabilities
• Available Telemetry
• Test-Cases
• PowerShell Script Drop
The “Why”
• Majority of detection and investigation strategies are heavily process
centric
• This leads to A LOT of analysis for the analyst
• Potential “lost” activity
• TIME CONSUMING
Logon Sessions

Logon
Session Authentication Origin Token
Initialization Creation
Logon Sessions
• Session that is created upon a user’s successful logon
• Terminates when the user is logged off
• Referenced via a LogonId value
• LowPart of LUID structure
• If the user that logs in has High IL privileges (administrative privileges)
2 logon sessions are generated. Known as a split token/linked token.
• 1 for Medium IL session
• 1 for High IL session
Split Token Example
Access Tokens
• Securable objects that serve to identify the security context of
processes/threads
• Contain information–
• User SID
• Group Memberships
• Privileges
• Logon ID/Logon Session
• Represented in the kernel via TOKEN structure
• Generated after authentication
• 1 token per logon session
Logon Sessions in Token Structure
Logon Session Generation Process
Defensive Capabilities
• Detections
• Performing JOINs on actions performed in the same logon session
• <example>
• Investigation
• More scoped approach
• Alert goes off (LogonID is exposed)
• LogonID query to pull all actions performed with that logon session
• Investigate
Note: There are some gaps within some vendors on which logs expose
LogonId fields*
Available Telemetry Today
• Window Security Events
• High Volume
• Sysmon
• Only ProcessCreation events
• Microsoft Defender for Endpoint
• 48(+) different ActionTypes contain LogonId data
• Other EDR vendors
Microsoft Defender for Endpoint
MDE NewCredential Limitation
Practical Examples (Credential Dumping)
Practical Examples (Privilege Escilation)
A process was injected with potentially malicious code
Practical Examples (Privilege Escilation)
A process was injected with potentially malicious code
Practical Examples (Lateral Movement)
Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)

WinRM
Practical Examples (Lateral Movement)
Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
Practical Examples (Lateral Movement)
Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
Practical Examples (Lateral Movement)
Suspicious process executed PowerShell command
Practical Examples (Lateral Movement)
Detection
Investigation Script
Conclusion
• Goal is to provide an initial targeted approach
• Logon Session Centric Analysis is not meant to replace previous
analysis methodologies
• Other processes will still need to be used due to limitations in today’s
telemetry
• Really powerful with multiple data sources – Security Events + EDR!!
Resources
• Windows Internals Book Part 1, Chapter 7
• Microsoft Authentication/Logon Documentations

• LogonProcesses.ps1 -
https://gist.github.com/jsecurity101/12e75415b35a5d220d13674e9e
d43373
Q/A

Unit 3
No ratings yet
Unit 3
40 pages
Database Concepts Class 1
No ratings yet
Database Concepts Class 1
47 pages
CCNP ENCOR 350-401: IP Services Guide
No ratings yet
CCNP ENCOR 350-401: IP Services Guide
76 pages
Cdi 6C: Lesson 2
No ratings yet
Cdi 6C: Lesson 2
21 pages
ARIS 10-0sr1 Aware Guide
No ratings yet
ARIS 10-0sr1 Aware Guide
26 pages
Lesson 1 Tech Innov MGMT
No ratings yet
Lesson 1 Tech Innov MGMT
34 pages
SQL Server Reporting Tools Overview
No ratings yet
SQL Server Reporting Tools Overview
22 pages
Crypto 101
No ratings yet
Crypto 101
222 pages
Neis Introduction To Aconex
No ratings yet
Neis Introduction To Aconex
6 pages
Lab 1 RDBMS
No ratings yet
Lab 1 RDBMS
12 pages
ARIS 10-0sr1 Connect Viewer User Manual
No ratings yet
ARIS 10-0sr1 Connect Viewer User Manual
231 pages
DP-100 Exam Study Guide for Azure Data Science
No ratings yet
DP-100 Exam Study Guide for Azure Data Science
11 pages
Reporting Tool Tutorial PDF
No ratings yet
Reporting Tool Tutorial PDF
174 pages
ICS Modules
No ratings yet
ICS Modules
67 pages
Privacy Program Management Framework
No ratings yet
Privacy Program Management Framework
28 pages
Advanced Planning Command Center Overview
No ratings yet
Advanced Planning Command Center Overview
82 pages
Apex 241 New Features
No ratings yet
Apex 241 New Features
52 pages
B2B Marketing: TALC Strategies Explained
No ratings yet
B2B Marketing: TALC Strategies Explained
14 pages
pt0 002 05
No ratings yet
pt0 002 05
33 pages
V9.2.0a Releasenotes v2.0
100% (1)
V9.2.0a Releasenotes v2.0
146 pages
Overview of Power App Types and Features
No ratings yet
Overview of Power App Types and Features
32 pages
Data Analysis with Spreadsheets Guide
No ratings yet
Data Analysis with Spreadsheets Guide
87 pages
Cisco Email Security Appliance: Initial Setup
No ratings yet
Cisco Email Security Appliance: Initial Setup
15 pages
Weekly Renewal Statistics Overview
No ratings yet
Weekly Renewal Statistics Overview
2 pages
19c ASM Database Installation On VirtualBox
100% (1)
19c ASM Database Installation On VirtualBox
3 pages
Getting Started With E-Business
No ratings yet
Getting Started With E-Business
49 pages
Tune and Troubleshoot Oracle Data Guard (Part 4 of 8)
100% (1)
Tune and Troubleshoot Oracle Data Guard (Part 4 of 8)
19 pages
pt0 002 08
No ratings yet
pt0 002 08
33 pages
Install APS105 Virtual Machine Guide
No ratings yet
Install APS105 Virtual Machine Guide
12 pages
Lab Answer Key: Module 1: SQL Server Security Lab: Authenticating Users
No ratings yet
Lab Answer Key: Module 1: SQL Server Security Lab: Authenticating Users
10 pages
Seasonal Vegetable and Fruit Sales Data
100% (1)
Seasonal Vegetable and Fruit Sales Data
5 pages
PRTG - PPT 08 - Iso 27001 - 2022 Isms Li 5d Session 8
No ratings yet
PRTG - PPT 08 - Iso 27001 - 2022 Isms Li 5d Session 8
8 pages
Privacy Impact Assessment: (Insert Project Name) : Date
No ratings yet
Privacy Impact Assessment: (Insert Project Name) : Date
18 pages
The Oracle IProcurement Functionality
No ratings yet
The Oracle IProcurement Functionality
18 pages
Data Governance Essentials and Practices
No ratings yet
Data Governance Essentials and Practices
46 pages
00-AppInADay Lab Overview
No ratings yet
00-AppInADay Lab Overview
4 pages
Cisco Email Security Setup Guide
No ratings yet
Cisco Email Security Setup Guide
15 pages
Power Apps & Dynamics 365 Developer Skills
No ratings yet
Power Apps & Dynamics 365 Developer Skills
7 pages
Digital Twin Training Course
No ratings yet
Digital Twin Training Course
11 pages
Protecting Industrial Control Systems From Electronic Threats
0% (3)
Protecting Industrial Control Systems From Electronic Threats
8 pages
Wireless Roaming and Location Services
No ratings yet
Wireless Roaming and Location Services
24 pages
BI & Data Warehousing Expert Profile
No ratings yet
BI & Data Warehousing Expert Profile
5 pages
Module 1
No ratings yet
Module 1
43 pages
pt0 002 04
No ratings yet
pt0 002 04
39 pages
APEX: Computations, Processes, Validations
No ratings yet
APEX: Computations, Processes, Validations
27 pages
Industrial Control Systems Cyber Security: Prepared By: Ahmed Shitta
No ratings yet
Industrial Control Systems Cyber Security: Prepared By: Ahmed Shitta
39 pages
01-Power Apps Canvas App Lab Manual
No ratings yet
01-Power Apps Canvas App Lab Manual
57 pages
SCM - Product Update Oracle Fusion Cloud SCM - 24C Release Update
No ratings yet
SCM - Product Update Oracle Fusion Cloud SCM - 24C Release Update
42 pages
2 Scanning
No ratings yet
2 Scanning
169 pages
B ESA Admin Guide 11 1
No ratings yet
B ESA Admin Guide 11 1
1,176 pages
Oracle Database 19c Data Guard Administration Workshop
No ratings yet
Oracle Database 19c Data Guard Administration Workshop
1 page
R12 Purchasing Presentation OA
No ratings yet
R12 Purchasing Presentation OA
39 pages
SY0-071-Module 2 Powerpoint Slides
No ratings yet
SY0-071-Module 2 Powerpoint Slides
315 pages
CIS Microsoft Dynamics 365 Power Platform v1.0.0
No ratings yet
CIS Microsoft Dynamics 365 Power Platform v1.0.0
60 pages
LogRhythm Platform Administrator
No ratings yet
LogRhythm Platform Administrator
2 pages
I R Event Log Analysis
No ratings yet
I R Event Log Analysis
23 pages
SOC Use Cases
No ratings yet
SOC Use Cases
10 pages
Log Management and Compliance Lab 10
No ratings yet
Log Management and Compliance Lab 10
13 pages
Cortex XDR-Windows Event Collection
No ratings yet
Cortex XDR-Windows Event Collection
3 pages
Raw Log
No ratings yet
Raw Log
17 pages
Delinea Privileged Access Management Pam Checklist
100% (1)
Delinea Privileged Access Management Pam Checklist
14 pages
Cloud Security for IT Professionals
No ratings yet
Cloud Security for IT Professionals
53 pages
Risk3sixty - The Business Case For ISO 27001 (Part 1)
0% (1)
Risk3sixty - The Business Case For ISO 27001 (Part 1)
5 pages
Open-Source Tools for Incident Response
No ratings yet
Open-Source Tools for Incident Response
46 pages
Keynote - 11 Strategies For World-Class Security Operations, Ingrid Parker, Carson Zimmerman
No ratings yet
Keynote - 11 Strategies For World-Class Security Operations, Ingrid Parker, Carson Zimmerman
27 pages
Responding to Advanced Cyber Attacks
No ratings yet
Responding to Advanced Cyber Attacks
29 pages
Make A Mars Helicopter: Instructions Materials
No ratings yet
Make A Mars Helicopter: Instructions Materials
2 pages
Hack Instagram Methodes
100% (8)
Hack Instagram Methodes
20 pages
C (C) C C C C## CC+C+C C C: & $!,C-, !'.,/c012c/&23c-,c - 3, c!4c
No ratings yet
C (C) C C C C## CC+C+C C C: & $!,C-, !'.,/c012c/&23c-,c - 3, c!4c
31 pages
Customer Complaint Handling SOP
No ratings yet
Customer Complaint Handling SOP
4 pages
Icecreamsales Worksheet: Training 3
No ratings yet
Icecreamsales Worksheet: Training 3
4 pages
Econ Challenge: Int'l Events Quiz
No ratings yet
Econ Challenge: Int'l Events Quiz
9 pages
F.Y.B.Sc Chemistry
No ratings yet
F.Y.B.Sc Chemistry
25 pages
Vol27 No2
100% (1)
Vol27 No2
33 pages
Euromonitor - Sportswear - in - Vietnam 3.2017
No ratings yet
Euromonitor - Sportswear - in - Vietnam 3.2017
8 pages
Maintenance Cost Benchmark Indicators
No ratings yet
Maintenance Cost Benchmark Indicators
2 pages
Shop Manual - M400-V - sn1001-3000 - 100822
100% (2)
Shop Manual - M400-V - sn1001-3000 - 100822
654 pages
Ak 4137
No ratings yet
Ak 4137
1 page
Small Value Procurement Requirements Guide
No ratings yet
Small Value Procurement Requirements Guide
1 page
Enterprise-Wide Information Systems
No ratings yet
Enterprise-Wide Information Systems
25 pages
Redox Reaction
No ratings yet
Redox Reaction
9 pages
Pni Safehouse Hs550 Wireless 3G Alarm System: User Manual / Manual de Utilizare
No ratings yet
Pni Safehouse Hs550 Wireless 3G Alarm System: User Manual / Manual de Utilizare
44 pages
Food Resources Februray 2025
No ratings yet
Food Resources Februray 2025
3 pages
B.Com Semester 1 Gujarati Medium Syllabus
No ratings yet
B.Com Semester 1 Gujarati Medium Syllabus
16 pages
Hyundai Design Philosophy: "Fluidic Sculpture"
No ratings yet
Hyundai Design Philosophy: "Fluidic Sculpture"
20 pages
1.0 AOSH IOGC v1
No ratings yet
1.0 AOSH IOGC v1
6 pages
HikCentral Pro License Details
No ratings yet
HikCentral Pro License Details
4 pages
Cantilever Beam
No ratings yet
Cantilever Beam
12 pages
ALLDY+Public+Ownership+Report+2022 03 31
No ratings yet
ALLDY+Public+Ownership+Report+2022 03 31
3 pages
Grade 11 Business Studies Review
No ratings yet
Grade 11 Business Studies Review
20 pages
Cut Flower Production in Asia
100% (1)
Cut Flower Production in Asia
88 pages
Liz Claiborne 2005 SWOT & Financial Analysis
100% (10)
Liz Claiborne 2005 SWOT & Financial Analysis
16 pages
Aggregator Agreement Format
0% (1)
Aggregator Agreement Format
5 pages
DTC P0100 Mass or Volume Air Flow Circuit DTC P0102 Mass or Volume Air Flow Circuit Low Input DTC P0103 Mass or Volume Air Flow Circuit High Input
No ratings yet
DTC P0100 Mass or Volume Air Flow Circuit DTC P0102 Mass or Volume Air Flow Circuit Low Input DTC P0103 Mass or Volume Air Flow Circuit High Input
7 pages
Getinge Service Pocket Quick Reference Guide
No ratings yet
Getinge Service Pocket Quick Reference Guide
124 pages
Accounting 370 Syllabus: Financial Reporting
No ratings yet
Accounting 370 Syllabus: Financial Reporting
14 pages

Logon Sessions for Cyber Defenders

Uploaded by

Logon Sessions for Cyber Defenders

Uploaded by

Once Upon a Login

How Logon Sessions Help Defenders See the Bigger Picture

You might also like