security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01dc930c173e329c191245b76f05de5fa4b5da21
blue-team-tools/rules/windows/builtin/win_susp_failed_logons_single_source.yml
T
frack113 1cfca93354 Missing status in rules (#2284) 
* add missing status
2021-11-19 22:32:26 +01:00

28 lines
824 B
YAML
Raw Blame History

title: Failed Logins with Different Accounts from Single Source System
id: e98374a6-e2d9-4076-9b5c-11bdb2569995
description: Detects suspicious failed logins with different user accounts from a single source system
status: experimental
author: Florian Roth
date: 2017/01/10
modified: 2021/09/21
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 529
- 4625
TargetUserName: '*'
WorkstationName: '*'
condition: selection1 | count(TargetUserName) by WorkstationName > 3
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
level: medium
Reference in New Issue View Git Blame Copy Permalink