Detectionmediumtest
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetObject|contains: '\Microsoft\WBEM\CIMOM\AllowAnonymousCallback'
Details: 'DWORD (0x00000001)'
condition: selectionFalse Positives
Administrative activity
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
4d431012-2ab5-4db7-a84e-b29809da2172
Status
test
Level
medium
Type
Detection
Created
Fri Nov 03
Path
rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml
Raw Tags
attack.defense-evasionattack.t1562.001