Account Tampering - Suspicious Failed Logon Reasons

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Sigma rule (View on GitHub)

 1title: Account Tampering - Suspicious Failed Logon Reasons
 2id: 9eb99343-d336-4020-a3cd-67f3819e68ee
 3status: test
 4description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
 5references:
 6    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
 7    - https://twitter.com/SBousseaden/status/1101431884540710913
 8author: Florian Roth (Nextron Systems)
 9date: 2017-02-19
10modified: 2022-06-29
11tags:
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.privilege-escalation
15    - attack.initial-access
16    - attack.t1078
17logsource:
18    product: windows
19    service: security
20detection:
21    selection:
22        EventID:
23            - 4625
24            - 4776
25        Status:
26            - '0xC0000072'  # User logon to account disabled by administrator
27            - '0xC000006F'  # User logon outside authorized hours
28            - '0xC0000070'  # User logon from unauthorized workstation
29            - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
30            - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
31            - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
32    filter:
33        SubjectUserSid: 'S-1-0-0'
34    condition: selection and not filter
35falsepositives:
36    - User using a disabled account
37level: medium

References

Related rules

to-top