Date: 09/03/2024
Severity: Medium
Summary
Detects the activation of the "AllowAnonymousCallback" registry value, which permits remote connections between computers lacking a trust relationship.
Indicators of Compromise (IOC) List
TargetObject | '\Microsoft\WBEM\CIMOM\AllowAnonymousCallback' |
Details | 'DWORD (0x00000001)' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((resourceName = "Sysmon" AND eventtype = "13" ) AND targetobject = "\Microsoft\WBEM\CIMOM\AllowAnonymousCallback" ) AND details = "DWORD (0x00000001)" |
Detection Query 2 | ((Technologygroup = "EDR" ) AND targetobject = "\Microsoft\WBEM\CIMOM\AllowAnonymousCallback" ) AND details = "DWORD (0x00000001)" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml
https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista