feat(threat-hunting): Secondary Logon service

2025-10-04 22:26:50 +00:00 · 2025-10-04 22:26:50 +00:00 · 5c4e675899
parent d566c42fa7
commit 5c4e675899
2 changed files with 16 additions and 1 deletions
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@ -2,7 +2,7 @@
 title: Splunk Threat Hunting
 layout: page
 date: 2025-01-15
-updated: 2025-09-21
+updated: 2025-10-05
 ---

 - [Generate ad_users.csv](ldap-ad-users)
@ -107,6 +107,7 @@ updated: 2025-09-21
 - [Suspicious command involving Public folder](suspicious-command-public-folder)
 - [Splunk Events Deletion](splunk-events-deletion)
 - [SafeDllSearchMode is modified](safedllsearchmode-is-modified)
+- [Secondary Logon service](secondary-logon-service)
 - [Suspicious Logon/Logoff Events](suspicious-logon-logoff-events)
 - [Suspicious Netscaler CLI](suspicious-netscaler-cli)
 - [Suspicious Network Settings](suspicious-network-settings)
--- a/source/threat-hunting/secondary-logon-service.md
+++ b/source/threat-hunting/secondary-logon-service.md
@ -0,0 +1,14 @@
+---
+title: Secondary Logon service
+layout: page
+date: 2025-10-05
+---
+
+Description: A built-in Windows feature that allows running programs under different user credentials.
+References: [1](https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/#privilege-escalation)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process="*seclogon*" BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
+| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
+```