Windows ANONYMOUS LOGON local account created
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects the creation of a local user account containing “ANONYMOUS LOGON” in the name.
Strategy
This rule monitors Windows Security event logs for user account creation events with suspicious naming patterns. It specifically looks for Windows Event ID 4720 (User Account Created) where the SamAccountName contains both “ANONYMOUS” and “LOGON” strings. These naming patterns are suspicious as they attempt to mimic legitimate Windows system accounts. The creation of accounts with these naming patterns is uncommon in legitimate scenarios, and indicates an attacker attempting to establish persistence by creating accounts that blend in with system accounts, but grant interactive access.
Triage & Response
- Examine the
{{host}} system to verify the account creation event and identify who created the account. - Review the privileges assigned to the newly created account to determine its potential access level.
- Check if the account has been added to any privileged groups such as Administrators or Remote Desktop Users.
- Reset credentials for any potentially compromised administrator accounts that may have been used to create the suspicious account.
