valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
bda207660d
SigmaHQ/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml

27 lines
867 B
YAML
Raw Normal View History

Adding 4 initial sigma rules
2021-06-03 21:51:47 +00:00
title: Multiple Users Attempting To Authenticate Using Explicit Credentials
id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9
description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host.
author: Mauricio Velazco
minor fixes and 3 extra sigma rules
2021-06-03 22:26:07 +00:00
date: 2021/06/01
adding references
2021-06-04 03:38:10 +00:00
references:
- https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
Adding 4 initial sigma rules
2021-06-03 21:51:47 +00:00
tags:
- attack.t1110.003
- attack.initial_access
- attack.privilege_escalation
logsource:
product: windows
service: security
detection:
selection1:
EventID: '4648'
timeframe: 24h
condition:
- selection1 | count(Account_Name) by ComputerName > 10
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
level: medium
Reference in New Issue Copy Permalink