AN0590: Analytic 0590
Detection of suspicious logon behavior using valid domain accounts across multiple hosts, off-hours, or simultaneous sessions from geographically distant locations.
Analyst context for executives and security teams
AN0590 is a Windows-focused detection analytic for suspicious use of valid domain accounts, such as the same account appearing across multiple hosts, outside normal working hours, or in geographically distant simultaneous sessions. For leaders, the value is not just spotting a bad login; it is validating whether identity telemetry can reveal account misuse before it becomes a broader incident affecting business continuity.
Executive priority
Prioritize this analytic as an identity and SOC readiness check. It helps answer whether the organization can detect abnormal domain account behavior using evidence it already collects, support incident decisions when credentials may be misused, and produce audit-relevant proof that privileged or workforce account activity is monitored. Because ATT&CK provides no tactic mapping, detection logic, or relationship context here, teams should treat it as a coverage validation item rather than a complete detection strategy.
Technical view
SOC and detection teams should validate whether Windows domain logon activity can be correlated by account, host, time, and source location. The core analytic concept is abnormal valid-account behavior: one domain account used across multiple hosts, logons occurring outside expected hours, or sessions that appear geographically inconsistent. Since no official detection logic is provided, teams need local baselines, identity context, asset context, and tuning rules to separate suspicious activity from administrators, service accounts, remote work, VPNs, and travel.
Likely telemetry
- Windows authentication and logon events
- Domain controller authentication records
- Account-to-host logon history
- Timestamped session activity
- Source network address and derived geolocation where available
Detection direction
- Confirm that domain logon events are collected consistently from Windows hosts and domain controllers.
- Correlate activity by user account across multiple hosts within defined time windows.
- Baseline normal working hours and expected host usage before alerting on off-hours access.
- Treat geographically distant simultaneous sessions carefully; VPN, proxy, remote access, and travel can create false positives.
- Separate human users, administrators, and service accounts because each requires different thresholds and investigation playbooks.
Mitigation priorities
- Ensure Windows domain authentication logging is enabled, retained, and searchable for investigation.
- Improve identity hygiene by maintaining account ownership, role, and expected-use documentation.
- Apply stronger controls to accounts where abnormal logon behavior would create high business risk, especially administrative or widely trusted accounts.
- Review remote access and VPN logging so analysts can explain location anomalies accurately.
- Create incident response procedures for suspected domain account misuse, including account containment, session review, and host scoping.
Analyst notes and limits
This object is a detection analytic, not a technique or procedure. The supplied ATT&CK fields support Windows platform scope and suspicious domain-account logon behavior, but do not provide tactics, related techniques, detection pseudocode, mitigations, or relationships. Local baselines and identity context are essential for making this analytic useful.
Official detection content is not provided, and no relationship context is supplied. This take cannot assert active exploitation, actor use, specific ATT&CK tactics, detection efficacy, or coverage beyond Windows-domain logon behavior described in the object.
Analytic 0590
Detection of suspicious logon behavior using valid domain accounts across multiple hosts, off-hours, or simultaneous sessions from geographically distant locations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e33ccac6320e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0590Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.