Failed NTLM Logins with Different Accounts from Single Source System
Detects suspicious failed logins with different user accounts from a single source system
Sigma rule (View on GitHub)
1title: Failed NTLM Logins with Different Accounts from Single Source System
2id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
3related:
4 - id: e98374a6-e2d9-4076-9b5c-11bdb2569995
5 type: derived
6status: unsupported
7description: Detects suspicious failed logins with different user accounts from a single source system
8author: Florian Roth (Nextron Systems)
9date: 2017/01/10
10modified: 2023/02/24
11tags:
12 - attack.persistence
13 - attack.privilege_escalation
14 - attack.t1078
15logsource:
16 product: windows
17 service: security
18detection:
19 selection2:
20 EventID: 4776
21 TargetUserName: '*'
22 Workstation: '*'
23 timeframe: 24h
24 condition: selection2 | count(TargetUserName) by Workstation > 3
25falsepositives:
26 - Terminal servers
27 - Jump servers
28 - Other multiuser systems like Citrix server farms
29 - Workstations with frequently changing users
30level: medium
Related rules
- Failed Logins with Different Accounts from Single Source System
- Malicious Service Installations
- Sticky Key Like Backdoor Execution
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Suspicious Debugger Registration Cmdline