curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity
blog/source/threat-hunting/secondary-logon-service.md

15 lines
704 B
Markdown
Raw Blame History

---
title: Secondary Logon service
layout: page
date: 2025-10-05
---
Description: A built-in Windows feature that allows running programs under different user credentials.
References: [1](https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-enabled-a-near-two-month-intrusion/#privilege-escalation)
SPL:
```spl
| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process="*seclogon*" BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
```
Reference in New Issue View Git Blame Copy Permalink