Merge pull request #271 from vburov/patch-4

Update win_susp_failed_logon_reasons.yml
2019-03-02 07:21:28 +01:00
parent 99b15edf8a f80cf52982
commit bd4e61acd8
1 changed files with 5 additions and 5 deletions
@@ -17,11 +17,11 @@ detection:
            - 4625
            - 4776
        Status:
-            - '0xC0000072'
-            - '0xC000006F'
-            - '0xC0000070'
-            - '0xC0000413'
-            - '0xC000018C'
+            - '0xC0000072'  # User logon to account disabled by administrator
+            - '0xC000006F'  # User logon outside authorized hours
+            - '0xC0000070'  # User logon from unauthorized workstation
+            - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
+            - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
            - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
    condition: selection
 falsepositives: