LoFP / user using a disabled account

Techniques

• t1078

Sample rules

Account Tampering - Suspicious Failed Logon Reasons

• source: sigma
• technicques:
  • t1078

Description

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Detection logic

condition: selection and not filter
filter:
  SubjectUserSid: S-1-0-0
selection:
  EventID:
  - 4625
  - 4776
  Status:
  - '0xC0000072'
  - '0xC000006F'
  - '0xC0000070'
  - '0xC0000413'
  - '0xC000018C'
  - '0xC000015B'