LoFP / systems with names equal to the spoofed ones used by the brute force tools

Techniques

t1110

Sample rules

NTLM Brute Force

source: sigma
technicques:
- t1110

Description

Detects common NTLM brute force device names

Detection logic

condition: selection and devicename
devicename:
  WorkstationName:
  - Rdesktop
  - Remmina
  - Freerdp
  - Windows7
  - Windows8
  - Windows2012
  - Windows2016
  - Windows2019
selection:
  EventID: 8004