title: Failed Logins with Different Accounts from Single Source System
author: Florian Roth
date: 2017/01/10
description: Detects suspicious failed logins with different user accounts from a
    single source system
detection:
    SELECTION_1:
        EventID: 4776
    SELECTION_2:
        TargetUserName: '*'
    SELECTION_3:
        Workstation: '*'
    condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)| count(TargetUserName)
        by Workstation > 3
falsepositives:
- Terminal servers
- Jump servers
- Other multiuser systems like Citrix server farms
- Workstations with frequently changing users
id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538
level: medium
logsource:
    product: windows
    service: security
modified: 2021/09/21
related:
-   id: e98374a6-e2d9-4076-9b5c-11bdb2569995
    type: derived
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
yml_filename: win_susp_failed_logons_single_source2.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin