Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
Sigma rule (View on GitHub)
1title: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
2id: 4d431012-2ab5-4db7-a84e-b29809da2172
3status: test
4description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
5references:
6 - https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista
7author: X__Junior (Nextron Systems)
8date: 2023-11-03
9tags:
10 - attack.defense-evasion
11 - attack.t1562.001
12logsource:
13 product: windows
14 category: registry_set
15detection:
16 selection:
17 TargetObject|contains: '\Microsoft\WBEM\CIMOM\AllowAnonymousCallback'
18 Details: 'DWORD (0x00000001)'
19 condition: selection
20falsepositives:
21 - Administrative activity
22level: medium
References
-
Connecting to a WMI namespace on a remote computer may require that you change the settings for Windows Firewall, User Account Control (UAC), DCOM, or Common Information Model Object Manager (CIMOM).
Read More
Related rules
- Obfuscated PowerShell OneLiner Execution
- Python Function Execution Security Warning Disabled In Excel
- Antivirus Filter Driver Disallowed On Dev Drive - Registry
- Potential AMSI Bypass Via .NET Reflection
- Python Function Execution Security Warning Disabled In Excel - Registry