Account Tampering - Suspicious Failed Logon Reasons

Severity: medium
Author: Florian Roth (Nextron Systems)
Source: upstream

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078` Valid Accounts
Persistence	`T1078` Valid Accounts
Privilege Escalation	`T1078` Valid Accounts
Defense Evasion	`T1078` Valid Accounts

Event coverage

Provider	Event ID	Title
Security-Auditing	4625	An account failed to log on.
Security-Auditing	4776	The domain controller attempted to validate the credentials for an account.

Stages and Predicates

Stage 1: `all of selection_eid`

Stage 2: `all of selection_status`

or:
Status: 0xC000006F
Status: 0xC0000070
Status: 0xC0000072
Status: 0xC000015B
Status: 0xC000018C
Status: 0xC0000413
SubStatus: 0xC000006F
SubStatus: 0xC0000070
SubStatus: 0xC0000072
SubStatus: 0xC000015B
SubStatus: 0xC000018C
SubStatus: 0xC0000413

Stage 3: `not filter`

SubjectUserSid: S-1-0-0

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Status`	eq	`0xC000006F` `0xC0000070` `0xC0000072` `0xC000015B` `0xC000018C` `0xC0000413`
`SubStatus`	eq	`0xC000006F` `0xC0000070` `0xC0000072` `0xC000015B` `0xC000018C` `0xC0000413`
`SubjectUserSid`	eq	`S-1-0-0` corpus 2 (sigma 2)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Multiple Logon Failure Followed by Logon Success [elastic]
Potential Computer Account NTLM Relay Activity [elastic]
Potential Kerberos Relay Attack against a Computer Account [elastic]
Potential NTLM Relay Attack against a Computer Account [elastic]
Remote Windows Service Installed [elastic]
Suspicious Service was Installed in the System [elastic]
Service Creation via Local Kerberos Authentication [elastic]
Hacktool Ruler [sigma]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Hacktool Ruler [sigma]
Metasploit SMB Authentication [sigma]