Volver al hub

Detection of Generic User Account Usage

This query identifies the use of generic or shared user accounts by leveraging a predefined lookup file containing known default and non-personalized usernames (e.g., admin, test, root).

EDRdetectionT1078
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read

Query

"#event_simpleName" = UserLogon | user.name := lower("user.name") | groupBy(user.name,ComputerName) | match(file="generic-usernames.csv", field=[user.name], column=[username])
| table([user.name, ComputerName, _count])
| User := rename(user.name)
| Host := rename(ComputerName)
| LogonCount := rename(_count)

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.