security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fefb8564717d69af72ededb4172bc7ec00aac734
blue-team-tools/rules/windows/builtin/win_susp_failed_logons_single_source.yml
T
frack113 a6bb5574fb Update global id
2021-09-03 06:35:35 +02:00

39 lines
1.0 KiB
YAML
Raw Blame History

action: global
title: Failed Logins with Different Accounts from Single Source System
description: Detects suspicious failed logins with different user accounts from a single source system
author: Florian Roth
date: 2017/01/10
modified: 2021/08/29
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
logsource:
product: windows
service: security
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
level: medium
---
id: e98374a6-e2d9-4076-9b5c-11bdb2569995
detection:
selection1:
EventID:
- 529
- 4625
TargetUserName: '*'
WorkstationName: '*'
condition: selection1 | count(TargetUserName) by WorkstationName > 3
---
id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
detection:
selection2:
EventID: 4776
TargetUserName: '*'
Workstation: '*'
timeframe: 24h
condition: selection2 | count(TargetUserName) by Workstation > 3
Reference in New Issue View Git Blame Copy Permalink