DiagTrackEoP Default Login Username

 1title: DiagTrackEoP Default Login Username
 2id: 2111118f-7e46-4fc8-974a-59fd8ec95196
 3status: test
 4description: Detects the default "UserName" used by the DiagTrackEoP POC
 5references:
 6    - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-08-03
 9tags:
10    - attack.privilege-escalation
11logsource:
12    product: windows
13    service: security
14detection:
15    selection:
16        EventID: 4624
17        LogonType: 9
18        TargetOutboundUserName: 'thisisnotvaliduser'
19    condition: selection
20falsepositives:
21    - Unlikely
22level: critical

References

• DiagTrackEoP/main.cpp at 3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f · Wh04m1001/DiagTrackEoP

  

  Contribute to Wh04m1001/DiagTrackEoP development by creating an account on GitHub.

  
  Read More

Related rules

• ADCS Certificate Template Configuration Vulnerability
• ADCS Certificate Template Configuration Vulnerability with Risky EKU
• APT PRIVATELOG Image Load Pattern
• AWS Attached Malicious Lambda Layer
• AWS Glue Development Endpoint Activity