DiagTrackEoP Default Login Username

 1title: DiagTrackEoP Default Login Username
 2id: 2111118f-7e46-4fc8-974a-59fd8ec95196
 3status: test
 4description: Detects the default "UserName" used by the DiagTrackEoP POC
 5references:
 6    - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/08/03
 9tags:
10    - attack.privilege_escalation
11logsource:
12    product: windows
13    service: security
14detection:
15    selection:
16        EventID: 4624
17        LogonType: 9
18        TargetOutboundUserName: 'thisisnotvaliduser'
19    condition: selection
20falsepositives:
21    - Unlikely
22level: critical

References

• DiagTrackEoP/main.cpp at 3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f · Wh04m1001/DiagTrackEoP

  

  Contribute to Wh04m1001/DiagTrackEoP development by creating an account on GitHub.

  
  Read More

Related rules

• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Account Tampering - Suspicious Failed Logon Reasons
• Application AppID Uri Configuration Changes
• Application URI Configuration Changes