rules/windows/builtin/win_susp_failed_logons_single_source.yml

title: Multiple Failed Logins with Different Accounts from Single Source System
id: e98374a6-e2d9-4076-9b5c-11bdb2569995
description: Detects suspicious failed logins with different user accounts from a single source system
author: Florian Roth
tags:
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1078
logsource:
    product: windows
    service: security
detection:
    selection1:
        EventID:
            - 529
            - 4625
        UserName: '*'
        WorkstationName: '*'
    selection2:
        EventID: 4776
        UserName: '*'
        Workstation: '*'
    timeframe: 24h 
    condition:
        - selection1 | count(UserName) by WorkstationName > 3
        - selection2 | count(UserName) by Workstation > 3
falsepositives:
    - Terminal servers
    - Jump servers
    - Other multiuser systems like Citrix server farms
    - Workstations with frequently changing users 
level: medium
Consistency between format description and examples 2017-01-10 22:40:59 +01:00			`title: Multiple Failed Logins with Different Accounts from Single Source System`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: e98374a6-e2d9-4076-9b5c-11bdb2569995`
			`description: Detects suspicious failed logins with different user accounts from a single source system`
Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00			`author: Florian Roth`
Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00			`tags:`
			`- attack.persistence`
			`- attack.privilege_escalation`
			`- attack.t1078`
Added "logsource" sections and new rule 2017-02-19 00:31:59 +01:00			`logsource:`
Removed lists from log source section 2017-02-19 11:08:23 +01:00			`product: windows`
Windows Built-In rules > LogSource definition 2017-03-05 23:55:52 +01:00			`service: security`
Example Updates 2016-12-27 14:49:54 +01:00			`detection:`
Various rule fixes 2018-03-26 22:53:38 +02:00			`selection1:`
Rule review and cleanup 2017-02-15 23:53:08 +01:00			`EventID:`
			`- 529`
			`- 4625`
Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:12 +02:00			`UserName: '*'`
			`WorkstationName: '*'`
Various rule fixes 2018-03-26 22:53:38 +02:00			`selection2:`
			`EventID: 4776`
Adjusted rules to the new specs reg "not null" usage 2018-06-28 09:30:12 +02:00			`UserName: '*'`
			`Workstation: '*'`
Removed 'last' keyword from 'timeframe' fields 2017-02-28 17:52:40 +01:00			`timeframe: 24h`
Various rule fixes 2018-03-26 22:53:38 +02:00			`condition:`
			`- selection1 \| count(UserName) by WorkstationName > 3`
			`- selection2 \| count(UserName) by Workstation > 3`
Example Updates 2016-12-27 14:49:54 +01:00			`falsepositives:`
Updated examples 2016-12-27 23:09:41 +01:00			`- Terminal servers`
			`- Jump servers`
			`- Other multiuser systems like Citrix server farms`
			`- Workstations with frequently changing users`
Levels to low, medium, high, critical 2017-02-16 18:02:26 +01:00			`level: medium`
Removed lists from log source section 2017-02-19 11:08:23 +01:00