valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9705366060
SigmaHQ/rules/windows/builtin/win_susp_failed_logons_single_source.yml

30 lines
831 B
YAML
Raw Normal View History

Consistency between format description and examples - description/comment -> title/description - addition of reference
2017-01-10 21:40:59 +00:00
title: Multiple Failed Logins with Different Accounts from Single Source System
description: Detects suspicious failed logins with different user accounts from a single source system
Added "logsource" sections and new rule
2017-02-18 23:31:59 +00:00
author: Florian Roth
logsource:
Removed lists from log source section
2017-02-19 10:08:23 +00:00
product: windows
Windows Built-In rules > LogSource definition
2017-03-05 22:55:52 +00:00
service: security
Example Updates
2016-12-27 13:49:54 +00:00
detection:
Various rule fixes * Field name: LogonProcess -> LogonProcessName * Field name: Message -> AuditPolicyChanges * Field name: ProcessCommandLine -> CommandLine * Removed Type match in Kerberos RC4 encryption rule Problematic because text representation not unified and audit failures are possibly interesting events * Removed field 'Severity' from rules (Redundant) * Rule decomposition of win_susp_failed_logons_single_source) because of different field names * Field name: SubjectAccountName -> SubjectUserName * Field name: TargetProcess -> TargetImage * Field name: TicketEncryption -> TicketEncryptionType * Field name: TargetFileName -> TargetFilename
2018-03-26 20:53:38 +00:00
selection1:
Rule review and cleanup * removed unnecessary one element lists from definitions * converted some lists of one element maps to maps because the resulting OR linkage would cause wrong result.
2017-02-15 22:53:08 +00:00
EventID:
- 529
- 4625
UserName: not null
Various rule fixes * Field name: LogonProcess -> LogonProcessName * Field name: Message -> AuditPolicyChanges * Field name: ProcessCommandLine -> CommandLine * Removed Type match in Kerberos RC4 encryption rule Problematic because text representation not unified and audit failures are possibly interesting events * Removed field 'Severity' from rules (Redundant) * Rule decomposition of win_susp_failed_logons_single_source) because of different field names * Field name: SubjectAccountName -> SubjectUserName * Field name: TargetProcess -> TargetImage * Field name: TicketEncryption -> TicketEncryptionType * Field name: TargetFileName -> TargetFilename
2018-03-26 20:53:38 +00:00
WorkstationName: not null
selection2:
EventID: 4776
UserName: not null
Workstation: not null
Removed 'last' keyword from 'timeframe' fields
2017-02-28 16:52:40 +00:00
timeframe: 24h
Various rule fixes * Field name: LogonProcess -> LogonProcessName * Field name: Message -> AuditPolicyChanges * Field name: ProcessCommandLine -> CommandLine * Removed Type match in Kerberos RC4 encryption rule Problematic because text representation not unified and audit failures are possibly interesting events * Removed field 'Severity' from rules (Redundant) * Rule decomposition of win_susp_failed_logons_single_source) because of different field names * Field name: SubjectAccountName -> SubjectUserName * Field name: TargetProcess -> TargetImage * Field name: TicketEncryption -> TicketEncryptionType * Field name: TargetFileName -> TargetFilename
2018-03-26 20:53:38 +00:00
condition:
- selection1 | count(UserName) by WorkstationName > 3
- selection2 | count(UserName) by Workstation > 3
Example Updates
2016-12-27 13:49:54 +00:00
falsepositives:
Updated examples
2016-12-27 22:09:41 +00:00
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
Levels to low, medium, high, critical
2017-02-16 17:02:26 +00:00
level: medium
Removed lists from log source section
2017-02-19 10:08:23 +00:00
Reference in New Issue Copy Permalink