Adversaries may be using a single source IP to authenticate to multiple machines using local accounts to establish persistent access or move laterally within the network. SOC teams should proactively hunt for this behavior to identify potential credential reuse or lateral movement tactics in their Azure Sentinel environment.
KQL Query
DeviceLogonEvents
| where Timestamp > ago(30d)
| where AccountDomain == DeviceName and isnotempty( RemoteIP) and RemoteIP !in ('::1','-', '0.0.0.0') and RemoteIP !startswith "127."
| summarize LogonAttempts = count(), DistinctMachines = dcount(DeviceId), Successes = countif(ActionType == 'Success'), RemoteDeviceName = any(RemoteDeviceName) by RemoteIP, Protocol, LogonType, AccountName
| order by Successes desc, LogonAttempts desc
id: 95a44d0f-b717-4e34-902f-2fad4d6fcbe3
name: Network Logons with Local Accounts
description: |
This query looks for a large number of network-based authentications using local credentials coming from a single source IP address. High counts of logons involving a large number of distinct machines may identify an attacker beachhead within an enterprise.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceLogonEvents
tactics:
- Lateral movement
query: |
DeviceLogonEvents
| where Timestamp > ago(30d)
| where AccountDomain == DeviceName and isnotempty( RemoteIP) and RemoteIP !in ('::1','-', '0.0.0.0') and RemoteIP !startswith "127."
| summarize LogonAttempts = count(), DistinctMachines = dcount(DeviceId), Successes = countif(ActionType == 'Success'), RemoteDeviceName = any(RemoteDeviceName) by RemoteIP, Protocol, LogonType, AccountName
| order by Successes desc, LogonAttempts desc
| Sentinel Table | Notes |
|---|---|
DeviceLogonEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Tasks
Description: A legitimate scheduled job (e.g., using schtasks.exe or Task Scheduler) runs multiple logon attempts to a local account on different machines to perform system updates or maintenance.
Filter/Exclusion: Exclude logons where the source IP is associated with internal management systems or where the destination machine is part of a known maintenance schedule.
Scenario: Remote PowerShell Management
Description: An administrator uses PowerShell Remoting (e.g., Invoke-Command) to manage multiple servers, which may result in repeated logon attempts using local credentials from a single source IP.
Filter/Exclusion: Exclude logons originating from known administrative workstations or IP ranges used for remote management.
Scenario: Backup and Sync Operations
Description: A backup tool (e.g., Veeam, Commvault, or rsync) authenticates to local accounts on multiple machines to perform data synchronization or backups.
Filter/Exclusion: Exclude logons where the source IP is associated with backup servers or where the destination machine is part of a backup group.
Scenario: User-Driven Remote Desktop Access
Description: A user with remote access rights (e.g., using mstsc.exe or Remote Desktop Services) logs into multiple machines using local credentials for legitimate work purposes.
Filter/Exclusion: Exclude logons where the source IP is associated with user workstations or where the user has documented remote access privileges.
Scenario: Active Directory Replication
Description: Domain controllers may authenticate to local accounts on other domain controllers during replication or synchronization tasks, resulting in high logon counts.
Filter/Exclusion: Exclude logons where the source and destination are both domain controllers or where the logon is part of a known replication process.