Windows ANONYMOUS LOGON local account created

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1136-create-account

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects the creation of a local user account containing “ANONYMOUS LOGON” in the name.

Strategy

This rule monitors Windows Security event logs for user account creation events with suspicious naming patterns. It specifically looks for Windows Event ID 4720 (User Account Created) where the SamAccountName contains both “ANONYMOUS” and “LOGON” strings. These naming patterns are suspicious as they attempt to mimic legitimate Windows system accounts. The creation of accounts with these naming patterns is uncommon in legitimate scenarios, and indicates an attacker attempting to establish persistence by creating accounts that blend in with system accounts, but grant interactive access.

Triage & Response

  • Examine the {{host}} system to verify the account creation event and identify who created the account.
  • Review the privileges assigned to the newly created account to determine its potential access level.
  • Check if the account has been added to any privileged groups such as Administrators or Remote Desktop Users.
  • Reset credentials for any potentially compromised administrator accounts that may have been used to create the suspicious account.