RottenPotato Like Attack Pattern

calendar Oct 18, 2023 · attack.privilege_escalation attack.credential_access attack.t1557.001  ·
Share on: linkedin copy

Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like

Sigma rule (View on GitHub)

 1title: RottenPotato Like Attack Pattern
 2id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f
 3status: test
 4description: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
 5references:
 6    - https://twitter.com/SBousseaden/status/1195284233729777665
 7author: '@SBousseaden, Florian Roth'
 8date: 2019/11/15
 9modified: 2022/12/22
10tags:
11    - attack.privilege_escalation
12    - attack.credential_access
13    - attack.t1557.001
14logsource:
15    product: windows
16    service: security
17detection:
18    selection:
19        EventID: 4624
20        LogonType: 3
21        TargetUserName: 'ANONYMOUS LOGON'
22        WorkstationName: '-'
23        IpAddress:
24            - '127.0.0.1'
25            - '::1'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top