SigmaHQ/rules/windows/builtin/win_susp_failed_logon_reasons.yml

title: Account Tampering - Suspicious Failed Logon Reasons
description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
detection:
    selection:
        EventLog: Security
        EventID:
            - 4625
            - 4776
        Status:
            - 0xC0000072
            - 0xC000006F
            - 0xC0000070
            - 0xC0000413
            - 0xC000018C
    condition: selection
falsepositives:
    - User using a disabled account
level: 70
Consistency between format description and examples - description/comment -> title/description - addition of reference 2017-01-10 21:40:59 +00:00			`title: Account Tampering - Suspicious Failed Logon Reasons`
			`description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.`
First Example Set - Builtin 2016-12-24 11:23:47 +00:00			`detection:`
Examples and Image 2016-12-26 01:21:55 +00:00			`selection:`
Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result. 2017-02-15 22:53:08 +00:00			`EventLog: Security`
			`EventID:`
			`- 4625`
			`- 4776`
			`Status:`
			`- 0xC0000072`
			`- 0xC000006F`
			`- 0xC0000070`
			`- 0xC0000413`
			`- 0xC000018C`
Remove implicit selection number, first Sysmon example 2017-01-10 14:05:19 +00:00			`condition: selection`
First Example Set - Builtin 2016-12-24 11:23:47 +00:00			`falsepositives:`
			`- User using a disabled account`
Consistency between format description and examples - description/comment -> title/description - addition of reference 2017-01-10 21:40:59 +00:00			`level: 70`