Detection rules › By event
Microsoft-Windows-Security-Auditing Event ID 4625
Sigma (7)
Elastic (6)
Splunk (15)
- Detect Password Spray Attack Behavior From Source
- Detect Password Spray Attack Behavior On User
- Detect Password Spray Attempts
- Meterpreter Reverse Shell (Windows Event Log)
- Multiple Failed Network Logon Attempts from Host (Windows Event Log)
- Password Spraying Windows (Windows Event Log)
- Potential EternalBlue via Metasploit (Windows Event Log)
- RDP Brute-force Detection (Windows Event Log)
- Suspicious Login Failures (Windows Event Log)
- Windows Identify PowerShell Web Access IIS Pool
- Windows Local Administrator Credential Stuffing
- Windows Multiple Users Failed To Authenticate From Process
- Windows Multiple Users Remotely Failed To Authenticate From Host
- Windows Unusual Count Of Users Failed To Authenticate From Process
- Windows Unusual Count Of Users Remotely Failed To Auth From Host
Kusto (12)
- Brute force attack against user credentials (Uses Authentication Normalization)
- EatonForeseer - Unauthorized Logins
- Excessive Windows Logon Failures
- Failed logon attempts by valid accounts within 10 mins
- Password Spray
- Password Spraying
- Potential NTLM Relay Attack to Domain Controller
- Potential Password Spray Attack (Uses Authentication Normalization)
- Potential Remote Desktop Tunneling
- SecurityEvent - Multiple authentication failures followed by a success
- Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- User login from different countries within 3 hours (Uses Authentication Normalization)