SigmaHQ/rules/windows/builtin/win_susp_failed_logon_reasons.yml

32 lines
1.4 KiB
YAML
Raw Normal View History

title: Account Tampering - Suspicious Failed Logon Reasons
2019-11-12 22:12:27 +00:00
id: 9eb99343-d336-4020-a3cd-67f3819e68ee
description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow
restricted.
author: Florian Roth
2019-03-01 11:07:31 +00:00
modified: 2019/03/01
2019-03-01 11:06:54 +00:00
references:
- https://twitter.com/SBousseaden/status/1101431884540710913
2018-07-24 05:50:32 +00:00
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
2017-02-16 17:02:26 +00:00
logsource:
2017-02-19 10:08:23 +00:00
product: windows
service: security
2016-12-24 11:23:47 +00:00
detection:
2016-12-26 01:21:55 +00:00
selection:
EventID:
- 4625
- 4776
Status:
- '0xC0000072' # User logon to account disabled by administrator
- '0xC000006F' # User logon outside authorized hours
- '0xC0000070' # User logon from unauthorized workstation
- '0xC0000413' # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
- '0xC000018C' # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
2019-03-01 11:06:54 +00:00
- '0xC000015B' # The user has not been granted the requested logon type (aka logon right) at this machine
condition: selection
2016-12-24 11:23:47 +00:00
falsepositives:
- User using a disabled account
2017-02-16 17:02:26 +00:00
level: high