Suspicious Windows ANONYMOUS LOGON Local Account Created
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
Sigma rule (View on GitHub)
1title: Suspicious Windows ANONYMOUS LOGON Local Account Created
2id: 1bbf25b9-8038-4154-a50b-118f2a32be27
3status: test
4description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
5references:
6 - https://twitter.com/SBousseaden/status/1189469425482829824
7author: James Pemberton / @4A616D6573
8date: 2019-10-31
9modified: 2022-10-09
10tags:
11 - attack.persistence
12 - attack.t1136.001
13 - attack.t1136.002
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 4720
20 SamAccountName|contains|all:
21 - 'ANONYMOUS'
22 - 'LOGON'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- Cisco Local Accounts
- Creation Of A Local User Account
- Creation Of An User Account
- Creation of a Local Hidden User Account by Registry
- Hidden Local User Creation