SigmaHQ/rules/windows/builtin/win_susp_failed_logon_reasons.yml

title: Account Tampering - Suspicious Failed Logon Reasons
id: 9eb99343-d336-4020-a3cd-67f3819e68ee
description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow
    restricted.
author: Florian Roth
date: 2017/02/19
modified: 2019/03/01
references:
    - https://twitter.com/SBousseaden/status/1101431884540710913
tags:
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1078
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4625
            - 4776
        Status:
            - '0xC0000072'  # User logon to account disabled by administrator
            - '0xC000006F'  # User logon outside authorized hours
            - '0xC0000070'  # User logon from unauthorized workstation
            - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
            - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
            - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
    condition: selection
falsepositives:
    - User using a disabled account
level: high
Consistency between format description and examples - description/comment -> title/description - addition of reference 2017-01-10 21:40:59 +00:00			`title: Account Tampering - Suspicious Failed Logon Reasons`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 9eb99343-d336-4020-a3cd-67f3819e68ee`
			`description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow`
			`restricted.`
Added "logsource" sections and new rule 2017-02-18 23:31:59 +00:00			`author: Florian Roth`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2017/02/19`
Added modified date 2019-03-01 11:07:31 +00:00			`modified: 2019/03/01`
Added error code for denied logon type 2019-03-01 11:06:54 +00:00			`references:`
			`- https://twitter.com/SBousseaden/status/1101431884540710913`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.persistence`
			`- attack.privilege_escalation`
			`- attack.t1078`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`logsource:`
Removed lists from log source section 2017-02-19 10:08:23 +00:00			`product: windows`
Windows Built-In rules > LogSource definition 2017-03-05 22:55:52 +00:00			`service: security`
First Example Set - Builtin 2016-12-24 11:23:47 +00:00			`detection:`
Examples and Image 2016-12-26 01:21:55 +00:00			`selection:`
Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result. 2017-02-15 22:53:08 +00:00			`EventID:`
			`- 4625`
			`- 4776`
			`Status:`
Update win_susp_failed_logon_reasons.yml Added descriptions for logon failure statuses and new logon failure status that may indicate suspicious logon. 2019-03-01 15:18:39 +00:00			`- '0xC0000072' # User logon to account disabled by administrator`
			`- '0xC000006F' # User logon outside authorized hours`
			`- '0xC0000070' # User logon from unauthorized workstation`
			`- '0xC0000413' # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine`
			`- '0xC000018C' # The logon request failed because the trust relationship between the primary domain and the trusted domain failed`
Added error code for denied logon type 2019-03-01 11:06:54 +00:00			`- '0xC000015B' # The user has not been granted the requested logon type (aka logon right) at this machine`
Remove implicit selection number, first Sysmon example 2017-01-10 14:05:19 +00:00			`condition: selection`
First Example Set - Builtin 2016-12-24 11:23:47 +00:00			`falsepositives:`
			`- User using a disabled account`
Levels to low, medium, high, critical 2017-02-16 17:02:26 +00:00			`level: high`