Find sigma rule
Attack: Valid Accounts: Local Accounts
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
Local Accounts may also be abused to elevate privileges and harvest credentials through OS Credential Dumping. Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.
MITRE
Tactic
- privilege-escalation
- defense-evasion
- persistence
- initial-access
technique
- T1078.003
Test : Create local account with admin privileges
OS
- windows
Description:
After execution the new account will be active and added to the Administrators group
Executor
command_prompt
Sigma Rule
-
proc_creation_win_net_user_add.yml (id: cd219ff3-fa99-45d4-8380-a7d15116c6dc)
-
proc_creation_win_net_execution.yml (id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac)
-
proc_creation_win_susp_local_system_owner_account_discovery.yml (id: 502b42de-4306-40b4-9596-6f590c81f073)