From 5c4e67589942ee2192dd65ea798837625e189f34 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Sat, 4 Oct 2025 22:26:50 +0000
Subject: [PATCH] feat(threat-hunting): Secondary Logon service

---
 source/threat-hunting/index.md                   |  3 ++-
 source/threat-hunting/secondary-logon-service.md | 14 ++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 source/threat-hunting/secondary-logon-service.md

diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index c4eb49d..4b908e8 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -2,7 +2,7 @@
 title: Splunk Threat Hunting
 layout: page
 date: 2025-01-15
-updated: 2025-09-21
+updated: 2025-10-05
 ---
 
 - [Generate ad_users.csv](ldap-ad-users)
@@ -107,6 +107,7 @@ updated: 2025-09-21
 - [Suspicious command involving Public folder](suspicious-command-public-folder)
 - [Splunk Events Deletion](splunk-events-deletion)
 - [SafeDllSearchMode is modified](safedllsearchmode-is-modified)
+- [Secondary Logon service](secondary-logon-service)
 - [Suspicious Logon/Logoff Events](suspicious-logon-logoff-events)
 - [Suspicious Netscaler CLI](suspicious-netscaler-cli)
 - [Suspicious Network Settings](suspicious-network-settings)
diff --git a/source/threat-hunting/secondary-logon-service.md b/source/threat-hunting/secondary-logon-service.md
new file mode 100644
index 0000000..b84bcfb
--- /dev/null
+++ b/source/threat-hunting/secondary-logon-service.md
@@ -0,0 +1,14 @@
+---
+title: Secondary Logon service
+layout: page
+date: 2025-10-05
+---
+
+Description: A built-in Windows feature that allows running programs under different user credentials.
+References: [1](https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/#privilege-escalation)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process="*seclogon*" BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
+| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
+```