mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
f80cf52982
Back then when we created this rule, we noticed that "logon attempt with expired account" happens pretty often, so we decided to not include it. All event codes in this rule did not appear in a 30 day time period and therefore the rule's "level" was set to "high".
30 lines
1.3 KiB
YAML
30 lines
1.3 KiB
YAML
title: Account Tampering - Suspicious Failed Logon Reasons
|
|
description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
|
|
author: Florian Roth
|
|
modified: 2019/03/01
|
|
references:
|
|
- https://twitter.com/SBousseaden/status/1101431884540710913
|
|
tags:
|
|
- attack.persistence
|
|
- attack.privilege_escalation
|
|
- attack.t1078
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection:
|
|
EventID:
|
|
- 4625
|
|
- 4776
|
|
Status:
|
|
- '0xC0000072' # User logon to account disabled by administrator
|
|
- '0xC000006F' # User logon outside authorized hours
|
|
- '0xC0000070' # User logon from unauthorized workstation
|
|
- '0xC0000413' # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
|
|
- '0xC000018C' # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
|
|
- '0xC000015B' # The user has not been granted the requested logon type (aka logon right) at this machine
|
|
condition: selection
|
|
falsepositives:
|
|
- User using a disabled account
|
|
level: high
|