RottenPotato Like Attack Pattern
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
Sigma rule (View on GitHub)
1title: RottenPotato Like Attack Pattern
2id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f
3status: test
4description: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
5references:
6 - https://twitter.com/SBousseaden/status/1195284233729777665
7author: '@SBousseaden, Florian Roth'
8date: 2019-11-15
9modified: 2022-12-22
10tags:
11 - attack.privilege-escalation
12 - attack.credential-access
13 - attack.t1557.001
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 4624
20 LogonType: 3
21 TargetUserName: 'ANONYMOUS LOGON'
22 WorkstationName: '-'
23 IpAddress:
24 - '127.0.0.1'
25 - '::1'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- Application AppID Uri Configuration Changes
- Application URI Configuration Changes
- Audit CVE Event