security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules-unsupported/win_security_susp_failed_logons_single_source.yml
T
Nasreddine Bencherchali 587fbbce58 chore: update pipe-notation rules to unsupported
2023-02-24 19:54:14 +01:00

29 lines
838 B
YAML
Raw Blame History

title: Failed Logins with Different Accounts from Single Source System
id: e98374a6-e2d9-4076-9b5c-11bdb2569995
status: unsupported
description: Detects suspicious failed logins with different user accounts from a single source system
author: Florian Roth (Nextron Systems)
date: 2017/01/10
modified: 2023/02/24
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 529
- 4625
TargetUserName: '*'
WorkstationName: '*'
condition: selection1 | count(TargetUserName) by WorkstationName > 3
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
level: medium
Reference in New Issue View Git Blame Copy Permalink