title: Failed Logins with Different Accounts from Single Source System
author: Florian Roth
date: 2017/01/10
description: Detects suspicious failed logins with different user accounts from a
    single source system
detection:
    SELECTION_1:
        EventID: 529
    SELECTION_2:
        EventID: 4625
    SELECTION_3:
        TargetUserName: '*'
    SELECTION_4:
        WorkstationName: '*'
    condition: ((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4)| count(TargetUserName)
        by WorkstationName > 3
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
id: e98374a6-e2d9-4076-9b5c-11bdb2569995
level: medium
logsource:
    product: windows
    service: security
modified: 2021/09/21
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
yml_filename: win_susp_failed_logons_single_source.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin