Revert "Create win_susp_local_anon_logon_created.yml"
This reverts commit d174e172b0.
This commit is contained in:
4A616D6573
@@ -1,23 +0,0 @@
|
||||
title: Suspicious Windows ANONYMOUS LOGON Local Account Created
|
||||
status: experimental
|
||||
description: Detects the creation of suspicious accounts simliar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
|
||||
references:
|
||||
- https://twitter.com/SBousseaden/status/1189469425482829824
|
||||
author: James Pemberton / @4A616D6573
|
||||
date: 2019/10/31
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1136
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
detection:
|
||||
selection:
|
||||
EventID:
|
||||
- '4720'
|
||||
user:
|
||||
- '*ANONYMOUS*LOGON*'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
Reference in New Issue
Block a user