Account Tampering - Suspicious Failed Logon Reasons

calendar Oct 17, 2025 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.initial-access attack.t1078  ·
Share on: linkedin copy

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Sigma rule (View on GitHub)

 1title: Account Tampering - Suspicious Failed Logon Reasons
 2id: 9eb99343-d336-4020-a3cd-67f3819e68ee
 3status: test
 4description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
 5references:
 6    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
 7    - https://twitter.com/SBousseaden/status/1101431884540710913
 8author: Florian Roth (Nextron Systems)
 9date: 2017-02-19
10modified: 2025-10-17
11tags:
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.privilege-escalation
15    - attack.initial-access
16    - attack.t1078
17logsource:
18    product: windows
19    service: security
20detection:
21    selection_eid:
22        EventID:
23            - 4625
24            - 4776
25    selection_status:
26        - Status:
27              - '0xC0000072'  # User logon to account disabled by administrator
28              - '0xC000006F'  # User logon outside authorized hours
29              - '0xC0000070'  # User logon from unauthorized workstation
30              - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
31              - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
32              - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
33        - SubStatus:
34              - '0xC0000072'  # User logon to account disabled by administrator
35              - '0xC000006F'  # User logon outside authorized hours
36              - '0xC0000070'  # User logon from unauthorized workstation
37              - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
38              - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
39              - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
40    filter:
41        SubjectUserSid: 'S-1-0-0'
42    condition: all of selection_* and not filter
43falsepositives:
44    - User using a disabled account
45level: medium

References

  • 4625(F) An account failed to log on. - Windows 10

    Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

Related rules

to-top