RottenPotato Like Attack Pattern
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
Sigma rule (View on GitHub)
1title: RottenPotato Like Attack Pattern
2id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f
3status: test
4description: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
5references:
6 - https://twitter.com/SBousseaden/status/1195284233729777665
7author: '@SBousseaden, Florian Roth'
8date: 2019-11-15
9modified: 2022-12-22
10tags:
11 - attack.collection
12 - attack.privilege-escalation
13 - attack.credential-access
14 - attack.t1557.001
15logsource:
16 product: windows
17 service: security
18detection:
19 selection:
20 EventID: 4624
21 LogonType: 3
22 TargetUserName: 'ANONYMOUS LOGON'
23 WorkstationName: '-'
24 IpAddress:
25 - '127.0.0.1'
26 - '::1'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Attempts of Kerberos Coercion Via DNS SPN Spoofing
- Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
- Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
- HackTool - ADCSPwn Execution
- HackTool - Impacket Tools Execution