DiagTrackEoP Default Login Username
Detects the default "UserName" used by the DiagTrackEoP POC
Sigma rule (View on GitHub)
1title: DiagTrackEoP Default Login Username
2id: 2111118f-7e46-4fc8-974a-59fd8ec95196
3status: test
4description: Detects the default "UserName" used by the DiagTrackEoP POC
5references:
6 - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/03
9tags:
10 - attack.privilege_escalation
11logsource:
12 product: windows
13 service: security
14detection:
15 selection:
16 EventID: 4624
17 LogonType: 9
18 TargetOutboundUserName: 'thisisnotvaliduser'
19 condition: selection
20falsepositives:
21 - Unlikely
22level: critical
References
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Application AppID Uri Configuration Changes
- Application URI Configuration Changes