Find sigma rule
Attack: Create Account: Local Account
Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
For example, with a sufficient level of access, the Windows net user /add
command can be used to create a local account. On macOS systems the dscl -create
command can be used to create a local account. Local accounts may also be added to network devices, often via common Network Device CLI commands such as username
, or to Kubernetes clusters using the kubectl
utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
MITRE
Tactic
- persistence
technique
- T1136.001
Test : Create a new user in a command prompt
OS
- windows
Description:
Creates a new user in a command prompt. Upon execution, “The command completed successfully.” will be displayed. To verify the new account, run “net user” in powershell or CMD and observe that there is a new user named “T1136.001_CMD”
Executor
command_prompt
Sigma Rule
-
proc_creation_win_net_user_add.yml (id: cd219ff3-fa99-45d4-8380-a7d15116c6dc)
-
proc_creation_win_net_execution.yml (id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac)