Create win_susp_ntlm_brute_force.yml

rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml

@@ -0,0 +1,31 @@
+title: NTLM Brute Force
+status: experimental
+description: Detects common NTLM brute force device names
+references:
+    - https://www.varonis.com/blog/investigate-ntlm-brute-force
+author: Jerry Shockley '@jsh0x'
+date: 2022/02/02
+tags:
+    - attack.credential_access
+    - attack.t1110
+logsource:
+    product: windows
+    service: ntlm
+    definition: Requires events from Microsoft-Windows-NTLM/Operational
+detection:
+    selection:
+        EventID: 8004
+    devicename:
+        Workstation_name:
+            - 'Rdesktop'
+            - 'Remmina'
+            - 'Freerdp'
+            - 'Windows7'
+            - 'Windows8'
+            - 'Windows2012'
+            - 'Windows2016'
+            - 'Windows2019'
+    condition: selection and 1 of devicename
+falsepositives:
+    - Unknown
+level: low