LoFP LoFP / user using a disabled account

Techniques

Sample rules

Account Tampering - Suspicious Failed Logon Reasons

Description

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Detection logic

condition: all of selection_* and not filter
filter:
  SubjectUserSid: S-1-0-0
selection_eid:
  EventID:
  - 4625
  - 4776
selection_status:
- Status:
  - '0xC0000072'
  - '0xC000006F'
  - '0xC0000070'
  - '0xC0000413'
  - '0xC000018C'
  - '0xC000015B'
- SubStatus:
  - '0xC0000072'
  - '0xC000006F'
  - '0xC0000070'
  - '0xC0000413'
  - '0xC000018C'
  - '0xC000015B'