mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
a3e02ea70f
* Field name: LogonProcess -> LogonProcessName * Field name: Message -> AuditPolicyChanges * Field name: ProcessCommandLine -> CommandLine * Removed Type match in Kerberos RC4 encryption rule Problematic because text representation not unified and audit failures are possibly interesting events * Removed field 'Severity' from rules (Redundant) * Rule decomposition of win_susp_failed_logons_single_source) because of different field names * Field name: SubjectAccountName -> SubjectUserName * Field name: TargetProcess -> TargetImage * Field name: TicketEncryption -> TicketEncryptionType * Field name: TargetFileName -> TargetFilename
30 lines
831 B
YAML
30 lines
831 B
YAML
title: Multiple Failed Logins with Different Accounts from Single Source System
|
|
description: Detects suspicious failed logins with different user accounts from a single source system
|
|
author: Florian Roth
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection1:
|
|
EventID:
|
|
- 529
|
|
- 4625
|
|
UserName: not null
|
|
WorkstationName: not null
|
|
selection2:
|
|
EventID: 4776
|
|
UserName: not null
|
|
Workstation: not null
|
|
timeframe: 24h
|
|
condition:
|
|
- selection1 | count(UserName) by WorkstationName > 3
|
|
- selection2 | count(UserName) by Workstation > 3
|
|
falsepositives:
|
|
- Terminal servers
|
|
- Jump servers
|
|
- Other multiuser systems like Citrix server farms
|
|
- Workstations with frequently changing users
|
|
level: medium
|
|
|
|
|