From c8e5fc4e6d70d41a9ae6917f3a4f30b3829db2ab Mon Sep 17 00:00:00 2001
From: 4A616D6573 <james.pemberton.au@gmail.com>
Date: Thu, 31 Oct 2019 21:49:57 +1100
Subject: [PATCH] Revert "Create win_susp_local_anon_logon_created.yml"

This reverts commit d174e172b0ed163ee897f6f9eb40bf4be9a0e2ef.
---
 .../win_susp_local_anon_logon_created.yml     | 23 -------------------
 1 file changed, 23 deletions(-)
 delete mode 100644 rules/windows/builtin/win_susp_local_anon_logon_created.yml

diff --git a/rules/windows/builtin/win_susp_local_anon_logon_created.yml b/rules/windows/builtin/win_susp_local_anon_logon_created.yml
deleted file mode 100644
index d05c5fddf..000000000
--- a/rules/windows/builtin/win_susp_local_anon_logon_created.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-title: Suspicious Windows ANONYMOUS LOGON Local Account Created
-status: experimental
-description: Detects the creation of suspicious accounts simliar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
-references:
-    - https://twitter.com/SBousseaden/status/1189469425482829824
-author: James Pemberton / @4A616D6573
-date: 2019/10/31
-tags:
-    - attack.persistence
-    - attack.t1136
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID:
-            - '4720'
-        user:
-            - '*ANONYMOUS*LOGON*'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high