The 'RottenPotato Like Attack Pattern' detection rule identifies suspicious logon events characteristic of the RottenPotato attack technique. This technique exploits vulnerable services to allow users with limited access privileges to impersonate a higher-privileged account after logging onto the machine. The rule focuses on Windows security logs, specifically targeting event ID 4624, which denotes successful logon attempts. The detection criterion specifies LogonType 3 (network logon), with the target username being 'ANONYMOUS LOGON', indicating an unauthorized or illegitimate network access attempt. The rule also filters out specific IP addresses associated with local connections, tightening the scope of the detection to suspicious behavior typical of an internal compromise. By flagging its findings with a high alert level, this rule aims to assist security analysts in recognizing potential privilege escalation or credential access attacks that could lead to further exploitation of the network or systems. Appropriate tuning and contextual analysis are recommended to minimize false positives stemming from legitimate administrative logins.