valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
407d8214f7
SigmaHQ/rules/windows/builtin/win_susp_failed_logons_single_source.yml
David Spautz e275d44462 Add tags to windows builtin rules
2018-07-24 07:50:32 +02:00

34 lines
895 B
YAML
Raw Blame History

title: Multiple Failed Logins with Different Accounts from Single Source System
description: Detects suspicious failed logins with different user accounts from a single source system
author: Florian Roth
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 529
- 4625
UserName: '*'
WorkstationName: '*'
selection2:
EventID: 4776
UserName: '*'
Workstation: '*'
timeframe: 24h
condition:
- selection1 | count(UserName) by WorkstationName > 3
- selection2 | count(UserName) by Workstation > 3
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
level: medium
Reference in New Issue View Git Blame Copy Permalink