Account Tampering - Suspicious Failed Logon Reasons

 1title: Account Tampering - Suspicious Failed Logon Reasons
 2id: 9eb99343-d336-4020-a3cd-67f3819e68ee
 3status: test
 4description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
 5references:
 6    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
 7    - https://twitter.com/SBousseaden/status/1101431884540710913
 8author: Florian Roth (Nextron Systems)
 9date: 2017/02/19
10modified: 2022/06/29
11tags:
12    - attack.persistence
13    - attack.defense_evasion
14    - attack.privilege_escalation
15    - attack.initial_access
16    - attack.t1078
17logsource:
18    product: windows
19    service: security
20detection:
21    selection:
22        EventID:
23            - 4625
24            - 4776
25        Status:
26            - '0xC0000072'  # User logon to account disabled by administrator
27            - '0xC000006F'  # User logon outside authorized hours
28            - '0xC0000070'  # User logon from unauthorized workstation
29            - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
30            - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
31            - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
32    filter:
33        SubjectUserSid: 'S-1-0-0'
34    condition: selection and not filter
35falsepositives:
36    - User using a disabled account
37level: medium