Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Account Tampering - Suspicious Failed Logon Reasons

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Sun Feb 19Updated Fri Oct 179eb99343-d336-4020-a3cd-67f3819e68eewindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic3 selectors
detection:
    selection_eid:
        EventID:
            - 4625
            - 4776
    selection_status:
        - Status:
              - '0xC0000072'  # User logon to account disabled by administrator
              - '0xC000006F'  # User logon outside authorized hours
              - '0xC0000070'  # User logon from unauthorized workstation
              - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
              - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
              - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
        - SubStatus:
              - '0xC0000072'  # User logon to account disabled by administrator
              - '0xC000006F'  # User logon outside authorized hours
              - '0xC0000070'  # User logon from unauthorized workstation
              - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
              - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
              - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
    filter:
        SubjectUserSid: 'S-1-0-0'
    condition: all of selection_* and not filter
False Positives

User using a disabled account

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
twitter.com
MITRE ATT&CK
Rule Metadata
Rule ID
9eb99343-d336-4020-a3cd-67f3819e68ee
Status
test
Level
medium
Type
Detection
Created
Sun Feb 19
Modified
Fri Oct 17
Author
Florian Roth (Nextron Systems)
Path
rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.privilege-escalationattack.initial-accessattack.t1078
View on GitHub