security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
063bb57dfdabbefb7c84166b7a35dfdabd2b8c90
blue-team-tools/rules/windows/builtin/security/win_security_hidden_user_creation.yml
T
Nasreddine Bencherchali 637d610884 chore: move rules to new folders (#4205)
2023-05-02 23:17:57 +02:00

24 lines
615 B
YAML
Raw Blame History

title: Hidden Local User Creation
id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
status: test
description: Detects the creation of a local hidden user account which should not happen for event ID 4720.
references:
- https://twitter.com/SBousseaden/status/1387743867663958021
author: Christian Burkard (Nextron Systems)
date: 2021/05/03
modified: 2022/10/09
tags:
- attack.persistence
- attack.t1136.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4720
TargetUserName|endswith: '$'
condition: selection
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink