Multiple Logon Failure Followed by Logon Success

Author: Elastic
Source: upstream

Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1110` Brute Force, `T1110.001` Brute Force: Password Guessing, `T1110.003` Brute Force: Password Spraying

Event coverage

Provider	Event ID	Title
Security-Auditing	4624	An account was successfully logged on.
Security-Auditing	4625	An account failed to log on.

Stages and Predicates

Stage 1: `eql:authentication`

not user.id:"S-1-0-0" and not user.name:"ANONYMOUS LOGON" and not winlog.event_data.Status:0xC000015B and not winlog.event_data.TargetUserSid:"S-1-0-0" and event.action:"logon-failed" and not source.ip:"127.0.0.1" and not source.ip:"::1" and not user.domain:"NT AUTHORITY" and winlog.logon.type:"Network"

Stage 2: `eql:authentication`

not user.name:"ANONYMOUS LOGON" and event.action:"logged-in" and not source.ip:"127.0.0.1" and not source.ip:"::1" and not user.domain:"NT AUTHORITY" and winlog.logon.type:"Network"

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`Status`	eq	`0xC000015B`, `0XC000005E`, `0XC0000133`, `0XC0000192`
2	`TargetUserSid`	eq	`S-1-0-0`
3	`user`	wildcard	`ANONYMOUS LOGON`, `-`, `*$`
4	`user.id`	eq	`S-1-0-0`
1	`user`	wildcard	`ANONYMOUS LOGON`, `-`, `*$`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`event.action`	eq	`logged-in` corpus 7 (elastic 7) `logon-failed` corpus 3 (elastic 3)
`source.ip`	ne	`127.0.0.1` corpus 8 (elastic 8) `::1` corpus 7 (elastic 7)
`user.domain`	ne	`NT AUTHORITY` corpus 2 (elastic 2)
`winlog.logon.type`	wildcard	`Network` corpus 3 (elastic 3)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Potential Computer Account NTLM Relay Activity [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Potential NTLM Relay Attack against a Computer Account [elastic]
Remote Windows Service Installed [elastic]
Suspicious Service was Installed in the System [elastic]
Service Creation via Local Kerberos Authentication [elastic]
Hacktool Ruler [sigma]
Metasploit SMB Authentication [sigma]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Hacktool Ruler [sigma]
Metasploit SMB Authentication [sigma]
Potential Computer Account NTLM Relay Activity [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Potential NTLM Relay Attack against a Computer Account [elastic]
Windows Identify PowerShell Web Access IIS Pool [splunk]
Windows Local Administrator Credential Stuffing [splunk]