security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/windows/builtin/security/win_security_hidden_user_creation.yml
T
Nasreddine Bencherchali 7c38a5c496 chore: add nextron authors tag
2023-02-01 11:14:59 +01:00

27 lines
657 B
YAML
Raw Blame History

title: Hidden Local User Creation
id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
status: test
description: Detects the creation of a local hidden user account which should not happen for event ID 4720.
references:
- https://twitter.com/SBousseaden/status/1387743867663958021
author: Christian Burkard (Nextron Systems)
date: 2021/05/03
modified: 2022/10/09
tags:
- attack.persistence
- attack.t1136.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4720
TargetUserName|endswith: '$'
condition: selection
fields:
- EventCode
- AccountName
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink