Review comments H1L021 PR # 46 - Trusted Logon Process

[Cyb3rPandaH]

PR Comment: #46 @H1L021

What are your thoughts on adding event 4611 to the data source / component: Logon Session / Logon Session Metadata? I understand this event is not related to the creation of a logon session, but it describes the registration of a trusted logon process that will handle the logon process. Also, since the the event provides context of the user that registered the trusted logon process, what are your thoughts on adding another yaml file with the relation: user --> registered --> logon process? This new relationship would be also mapped to the Logon Session / Logon Session Metadata

[Cyb3rSn0rlax]

Hi @Cyb3rPandaH
Thanks for your time,
I actually thought of that but the documentation of the event threw me off here

At the technical level, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates.

So the relationship user --> registered --> logon process is not technically accurate, however, we can go with it at the moment from an attribution perspective.

[Cyb3rSn0rlax]

@Cyb3rPandaH I didn't see initially that EID 4611 is part of Logon Session Metadata yaml file. Sorry my bad. You can delete the trusted logon process

[Cyb3rPandaH]

Hey @H1L021 ,
I agree on that, using event 4611 with user context makes more sense when attributing the registration of the trusted logon process. I think we can add the relationship and add a note for this event with reference to the documentation.

In addition, instead of using logon process as target, we could use the entity name process. The logon context for this relationship would come from the ATT&CK mapping. Any comment?

Event 4611 will be also as part of the Logon Session Metadata yaml file since more than one relationship could be described from an event.