From 50fb36c4cb71dc957c4af1d2c0ce2bbbe61335cd Mon Sep 17 00:00:00 2001
From: JSHOX1 <33523066+JSHOX1@users.noreply.github.com>
Date: Wed, 2 Feb 2022 09:24:13 -0500
Subject: [PATCH] Create win_susp_ntlm_brute_force.yml

---
 .../ntlm/win_susp_ntlm_brute_force.yml        | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml

diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml
new file mode 100644
index 000000000..6b649dec5
--- /dev/null
+++ b/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml
@@ -0,0 +1,31 @@
+title: NTLM Brute Force
+status: experimental
+description: Detects common NTLM brute force device names
+references:
+    - https://www.varonis.com/blog/investigate-ntlm-brute-force
+author: Jerry Shockley '@jsh0x'
+date: 2022/02/02
+tags:
+    - attack.credential_access
+    - attack.t1110
+logsource:
+    product: windows
+    service: ntlm
+    definition: Requires events from Microsoft-Windows-NTLM/Operational
+detection:
+    selection:
+        EventID: 8004
+    devicename:
+        Workstation_name:
+            - 'Rdesktop'
+            - 'Remmina'
+            - 'Freerdp'
+            - 'Windows7'
+            - 'Windows8'
+            - 'Windows2012'
+            - 'Windows2016'
+            - 'Windows2019'
+    condition: selection and 1 of devicename
+falsepositives:
+    - Unknown
+level: low