Windows ANONYMOUS LOGON local account created
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects the creation of a local user account containing “ANONYMOUS LOGON” in the name.
Strategy
This rule monitors Windows Security event logs for user account creation events with suspicious naming patterns. It specifically looks for Windows Event ID 4720 (User Account Created) where the SamAccountName contains both “ANONYMOUS” and “LOGON” strings. These naming patterns are suspicious as they attempt to mimic legitimate Windows system accounts. The creation of accounts with these naming patterns is uncommon in legitimate scenarios, and indicates an attacker attempting to establish persistence by creating accounts that blend in with system accounts, but grant interactive access.
Triage & Response
- Examine the
{{host}} system to verify the account creation event and identify who created the account. - Review the privileges assigned to the newly created account to determine its potential access level.
- Check if the account has been added to any privileged groups such as Administrators or Remote Desktop Users.
- Reset credentials for any potentially compromised administrator accounts that may have been used to create the suspicious account.
