Link Search Menu Expand Document

AD_Logon_Failed_Locked_Account

ID: 100170

Description:

A user’s logon attempt failed on an account that was subsequently locked or was already locked out.

Windows EventID 4625 indicates a failed login. There is a sub-status (0xC0000234) that can indicate the reason for the failed login.

Notes: Status - 0xc0000234 and 0xC0000234 (Capital ‘C’)

Ref: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

Repository: Fluency Group: AD Type: event

Default Status:

Enabled

Tags:
AD
 

Selector:

Query:

Filters:

Field MUST hit
@fields.EventID 4625
@fields.Status 0xc0000234
  0xC0000234
@fields.TargetUserName exist (boolean)
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@fields.TargetUserName username account login

Risks:

Risks Base Score Dimension
ALERT_NORMAL 100 alert

Attributes:

Alias Key
TargetUserName @fields.TargetUserName
TargetDomainName @fields.TargetDomainName
SubjectUserSid @fields.SubjectUserSid
SubjectUserName @fields.SubjectUserName
SubjectDomainName @fields.SubjectDomainName
SubjectLogonId @fields.SubjectLogonId
LogonType @fields.LogonType
WorkstationName @fields.WorkstationName
IpAddress @fields.IpAddress

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 10 days @fields.TargetUserName
  Risks: ML_NEW_USER

Aggregation:

Name Window Field AggType Match
MultipleFails 1 hour   count gt 10
  Risks: ALERT_POLICY    

History:

User Date
em*n@fluencysecurity.com 2021 Jan 28 01:03:44 EST
ho*d@fluencysecurity.com 2021 May 28 11:24:20 EDT
ho*d@fluencysecurity.com 2021 Oct 11 00:11:10 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)