Detectionhightest

RottenPotato Like Attack Pattern

Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

@sbousseaden, Florian Roth (Nextron Systems)Created Fri Nov 15Updated Thu Dec 2216f5d8ca-44bd-47c8-acbe-6fc95a16c12fwindows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4624
        LogonType: 3
        TargetUserName: 'ANONYMOUS LOGON'
        WorkstationName: '-'
        IpAddress:
            - '127.0.0.1'
            - '::1'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0009 · Collection TA0004 · Privilege Escalation TA0006 · Credential Access

Sub-techniques

T1557.001 · LLMNR/NBT-NS Poisoning and SMB Relay

Rule Metadata

Rule ID

16f5d8ca-44bd-47c8-acbe-6fc95a16c12f

Status

test

Level

high

Type

Detection

Created

Fri Nov 15

Modified

Thu Dec 22

Author

@sbousseaden, Florian Roth (Nextron Systems)

Path

rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml

Raw Tags

attack.collectionattack.privilege-escalationattack.credential-accessattack.t1557.001

View on GitHub