Failed Logins with Different Accounts from Single Source System
Detects suspicious failed logins with different user accounts from a single source system
Sigma rule (View on GitHub)
1title: Failed Logins with Different Accounts from Single Source System
2id: e98374a6-e2d9-4076-9b5c-11bdb2569995
3status: unsupported
4description: Detects suspicious failed logins with different user accounts from a single source system
5author: Florian Roth (Nextron Systems)
6date: 2017/01/10
7modified: 2023/02/24
8tags:
9 - attack.persistence
10 - attack.privilege_escalation
11 - attack.t1078
12logsource:
13 product: windows
14 service: security
15detection:
16 selection1:
17 EventID:
18 - 529
19 - 4625
20 TargetUserName: '*'
21 WorkstationName: '*'
22 condition: selection1 | count(TargetUserName) by WorkstationName > 3
23falsepositives:
24 - Terminal servers
25 - Jump servers
26 - Other multiuser systems like Citrix server farms
27 - Workstations with frequently changing users
28level: medium
Related rules
- Failed NTLM Logins with Different Accounts from Single Source System
- Malicious Service Installations
- Sticky Key Like Backdoor Execution
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Suspicious Debugger Registration Cmdline