title: Account Tampering - Suspicious Failed Logon Reasons
description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
author: Florian Roth
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4625
            - 4776
        Status:
            - 0xC0000072
            - 0xC000006F
            - 0xC0000070
            - 0xC0000413
            - 0xC000018C
    condition: selection
falsepositives:
    - User using a disabled account
level: high