valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
16c5192ee9
SigmaHQ/rules/windows/builtin/win_susp_failed_logon_reasons.yml

22 lines
626 B
YAML
Raw Normal View History

Consistency between format description and examples - description/comment -> title/description - addition of reference
2017-01-10 21:40:59 +00:00
title: Account Tampering - Suspicious Failed Logon Reasons
description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Added "logsource" sections and new rule
2017-02-18 23:31:59 +00:00
author: Florian Roth
Levels to low, medium, high, critical
2017-02-16 17:02:26 +00:00
logsource:
Removed lists from log source section
2017-02-19 10:08:23 +00:00
product: windows
First Example Set - Builtin
2016-12-24 11:23:47 +00:00
detection:
Examples and Image
2016-12-26 01:21:55 +00:00
selection:
Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result.
2017-02-15 22:53:08 +00:00
EventLog: Security
EventID:
- 4625
- 4776
Status:
- 0xC0000072
- 0xC000006F
- 0xC0000070
- 0xC0000413
- 0xC000018C
Remove implicit selection number, first Sysmon example
2017-01-10 14:05:19 +00:00
condition: selection
First Example Set - Builtin
2016-12-24 11:23:47 +00:00
falsepositives:
- User using a disabled account
Levels to low, medium, high, critical
2017-02-16 17:02:26 +00:00
level: high
Reference in New Issue Copy Permalink