Account Creation
| Id | 450f4e56-5bba-4070-b9d9-9204ba9d777d |
| Rulename | Account Creation |
| Description | User accounts may be created to achieve persistence on a machine. Read more here: https://attack.mitre.org/wiki/Technique/T1136. Tags: #CreateAccount. Query #1: Query for users being created using “net user” command. “net user” commands are noisy, so needs to be joined with another signal -. E.g. in this example we look for use of uncommon & undocumented commandline switches (e.g. /ad instead of /add). |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1136 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Persistence/AccountCreation.yaml |
| Version | 1.0.0 |
| Arm template | 450f4e56-5bba-4070-b9d9-9204ba9d777d.json |
DeviceProcessEvents
// Pro-tip:
// There are many different ways to run a process from a file - e.g. by using full path, env. variables, ~1 annotation, more...
// So, to find executions of a known filename, better filter on the filename (and possibly on folder path) than on the commandline.
| where FileName in~ ("net.exe", "net1.exe")
// Parse the user name from the commandline.
// To have case-insensitive parsing use the i flag, to have non-greedy match (e.g. CreatedUser as short as possible), specify U flag:
// "kind=regex flags=i"
| parse kind=regex flags=iU ProcessCommandLine with * "user " CreatedUser " " * "/ad"
// Filter rows where user could not be parsed - e.g. because it was not a user command, or the /add commandline switch was not specified.
| where isnotempty(CreatedUser)
// Every net.exe executed will run net1.exe with the same commandline.
// in this where clause we remove such rows, as they duplicate the number of results we have without adding any value.
| where not (FileName =~ "net1.exe" and InitiatingProcessFileName =~ "net.exe" and replace("net", "net1", InitiatingProcessCommandLine) =~ ProcessCommandLine)
// If /domain is specified, so the user is created on the domain controller.
// Also, any prefix that's longer than 1 char will also do the same, e.g. /do, /dom, /doma, ....
| extend CreatedOnLocalMachine=(ProcessCommandLine !contains "/do")
| where ProcessCommandLine !contains "/add" or (CreatedOnLocalMachine == 0 and ProcessCommandLine !contains "/domain")
| summarize MachineCount=dcount(DeviceName) by CreatedUser, CreatedOnLocalMachine, InitiatingProcessFileName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
relevantTechniques:
- T1136
name: Account Creation
requiredDataConnectors:
- dataTypes:
- DeviceProcessEvents
connectorId: MicrosoftThreatProtection
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: DeviceName
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
entityType: Host
- fieldMappings:
- identifier: ProcessId
columnName: ProcessId
- identifier: CommandLine
columnName: ProcessCommandLine
entityType: Process
triggerThreshold: 0
id: 450f4e56-5bba-4070-b9d9-9204ba9d777d
tactics:
- Persistence
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Persistence/AccountCreation.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: Medium
status: Available
description: |
User accounts may be created to achieve persistence on a machine.
Read more here: https://attack.mitre.org/wiki/Technique/T1136.
Tags: #CreateAccount.
Query #1: Query for users being created using "net user" command.
"net user" commands are noisy, so needs to be joined with another signal -.
E.g. in this example we look for use of uncommon & undocumented commandline switches (e.g. /ad instead of /add).
query: |
DeviceProcessEvents
// Pro-tip:
// There are many different ways to run a process from a file - e.g. by using full path, env. variables, ~1 annotation, more...
// So, to find executions of a known filename, better filter on the filename (and possibly on folder path) than on the commandline.
| where FileName in~ ("net.exe", "net1.exe")
// Parse the user name from the commandline.
// To have case-insensitive parsing use the i flag, to have non-greedy match (e.g. CreatedUser as short as possible), specify U flag:
// "kind=regex flags=i"
| parse kind=regex flags=iU ProcessCommandLine with * "user " CreatedUser " " * "/ad"
// Filter rows where user could not be parsed - e.g. because it was not a user command, or the /add commandline switch was not specified.
| where isnotempty(CreatedUser)
// Every net.exe executed will run net1.exe with the same commandline.
// in this where clause we remove such rows, as they duplicate the number of results we have without adding any value.
| where not (FileName =~ "net1.exe" and InitiatingProcessFileName =~ "net.exe" and replace("net", "net1", InitiatingProcessCommandLine) =~ ProcessCommandLine)
// If /domain is specified, so the user is created on the domain controller.
// Also, any prefix that's longer than 1 char will also do the same, e.g. /do, /dom, /doma, ....
| extend CreatedOnLocalMachine=(ProcessCommandLine !contains "/do")
| where ProcessCommandLine !contains "/add" or (CreatedOnLocalMachine == 0 and ProcessCommandLine !contains "/domain")
| summarize MachineCount=dcount(DeviceName) by CreatedUser, CreatedOnLocalMachine, InitiatingProcessFileName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/450f4e56-5bba-4070-b9d9-9204ba9d777d')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/450f4e56-5bba-4070-b9d9-9204ba9d777d')]",
"properties": {
"alertRuleTemplateName": "450f4e56-5bba-4070-b9d9-9204ba9d777d",
"customDetails": null,
"description": "User accounts may be created to achieve persistence on a machine.\nRead more here: https://attack.mitre.org/wiki/Technique/T1136.\nTags: #CreateAccount.\nQuery #1: Query for users being created using \"net user\" command.\n\"net user\" commands are noisy, so needs to be joined with another signal -.\nE.g. in this example we look for use of uncommon & undocumented commandline switches (e.g. /ad instead of /add).\n",
"displayName": "Account Creation",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "DnsDomain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "ProcessId",
"identifier": "ProcessId"
},
{
"columnName": "ProcessCommandLine",
"identifier": "CommandLine"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Persistence/AccountCreation.yaml",
"query": "DeviceProcessEvents\n// Pro-tip: \n// There are many different ways to run a process from a file - e.g. by using full path, env. variables, ~1 annotation, more...\n// So, to find executions of a known filename, better filter on the filename (and possibly on folder path) than on the commandline.\n| where FileName in~ (\"net.exe\", \"net1.exe\")\n// Parse the user name from the commandline.\n// To have case-insensitive parsing use the i flag, to have non-greedy match (e.g. CreatedUser as short as possible), specify U flag:\n// \"kind=regex flags=i\"\n| parse kind=regex flags=iU ProcessCommandLine with * \"user \" CreatedUser \" \" * \"/ad\"\n// Filter rows where user could not be parsed - e.g. because it was not a user command, or the /add commandline switch was not specified.\n| where isnotempty(CreatedUser)\n// Every net.exe executed will run net1.exe with the same commandline.\n// in this where clause we remove such rows, as they duplicate the number of results we have without adding any value.\n| where not (FileName =~ \"net1.exe\" and InitiatingProcessFileName =~ \"net.exe\" and replace(\"net\", \"net1\", InitiatingProcessCommandLine) =~ ProcessCommandLine)\n// If /domain is specified, so the user is created on the domain controller.\n// Also, any prefix that's longer than 1 char will also do the same, e.g. /do, /dom, /doma, ....\n| extend CreatedOnLocalMachine=(ProcessCommandLine !contains \"/do\")\n| where ProcessCommandLine !contains \"/add\" or (CreatedOnLocalMachine == 0 and ProcessCommandLine !contains \"/domain\")\n| summarize MachineCount=dcount(DeviceName) by CreatedUser, CreatedOnLocalMachine, InitiatingProcessFileName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, DeviceName\n| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)\n| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), \"\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1136"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}