User Account Creation

Identifies creation of local users via the net.exe command.

id:014c3f51-89c6-40f1-ac9c-5688f26090ab categories:detect, hunt confidence:low os:windows created:11/30/2018 updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Persistence, Credential Access techniques:T1136 Create Account

Query

process where subtype.create and
  (process_name == "net.exe" or (process_name == "net1.exe" and parent_process_name != "net.exe")) and
  command_line == "* user */ad*"

Detonation

Atomic Red Team: T1136

Contributors

• Endgame