Account Creation
| Id | 450f4e56-5bba-4070-b9d9-9204ba9d777d |
| Rulename | Account Creation |
| Description | User accounts may be created to achieve persistence on a machine. Read more here: https://attack.mitre.org/wiki/Technique/T1136. Tags: #CreateAccount. Query #1: Query for users being created using “net user” command. “net user” commands are noisy, so needs to be joined with another signal -. E.g. in this example we look for use of uncommon & undocumented commandline switches (e.g. /ad instead of /add). |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1136 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Persistence/AccountCreation.yaml |
| Version | 1.0.0 |
| Arm template | 450f4e56-5bba-4070-b9d9-9204ba9d777d.json |
DeviceProcessEvents
// Pro-tip:
// There are many different ways to run a process from a file - e.g. by using full path, env. variables, ~1 annotation, more...
// So, to find executions of a known filename, better filter on the filename (and possibly on folder path) than on the commandline.
| where FileName in~ ("net.exe", "net1.exe")
// Parse the user name from the commandline.
// To have case-insensitive parsing use the i flag, to have non-greedy match (e.g. CreatedUser as short as possible), specify U flag:
// "kind=regex flags=i"
| parse kind=regex flags=iU ProcessCommandLine with * "user " CreatedUser " " * "/ad"
// Filter rows where user could not be parsed - e.g. because it was not a user command, or the /add commandline switch was not specified.
| where isnotempty(CreatedUser)
// Every net.exe executed will run net1.exe with the same commandline.
// in this where clause we remove such rows, as they duplicate the number of results we have without adding any value.
| where not (FileName =~ "net1.exe" and InitiatingProcessFileName =~ "net.exe" and replace("net", "net1", InitiatingProcessCommandLine) =~ ProcessCommandLine)
// If /domain is specified, so the user is created on the domain controller.
// Also, any prefix that's longer than 1 char will also do the same, e.g. /do, /dom, /doma, ....
| extend CreatedOnLocalMachine=(ProcessCommandLine !contains "/do")
| where ProcessCommandLine !contains "/add" or (CreatedOnLocalMachine == 0 and ProcessCommandLine !contains "/domain")
| summarize MachineCount=dcount(DeviceName) by CreatedUser, CreatedOnLocalMachine, InitiatingProcessFileName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
description: |
User accounts may be created to achieve persistence on a machine.
Read more here: https://attack.mitre.org/wiki/Technique/T1136.
Tags: #CreateAccount.
Query #1: Query for users being created using "net user" command.
"net user" commands are noisy, so needs to be joined with another signal -.
E.g. in this example we look for use of uncommon & undocumented commandline switches (e.g. /ad instead of /add).
kind: Scheduled
tactics:
- Persistence
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/Persistence/AccountCreation.yaml
severity: Medium
name: Account Creation
triggerThreshold: 0
queryPeriod: 1h
query: |
DeviceProcessEvents
// Pro-tip:
// There are many different ways to run a process from a file - e.g. by using full path, env. variables, ~1 annotation, more...
// So, to find executions of a known filename, better filter on the filename (and possibly on folder path) than on the commandline.
| where FileName in~ ("net.exe", "net1.exe")
// Parse the user name from the commandline.
// To have case-insensitive parsing use the i flag, to have non-greedy match (e.g. CreatedUser as short as possible), specify U flag:
// "kind=regex flags=i"
| parse kind=regex flags=iU ProcessCommandLine with * "user " CreatedUser " " * "/ad"
// Filter rows where user could not be parsed - e.g. because it was not a user command, or the /add commandline switch was not specified.
| where isnotempty(CreatedUser)
// Every net.exe executed will run net1.exe with the same commandline.
// in this where clause we remove such rows, as they duplicate the number of results we have without adding any value.
| where not (FileName =~ "net1.exe" and InitiatingProcessFileName =~ "net.exe" and replace("net", "net1", InitiatingProcessCommandLine) =~ ProcessCommandLine)
// If /domain is specified, so the user is created on the domain controller.
// Also, any prefix that's longer than 1 char will also do the same, e.g. /do, /dom, /doma, ....
| extend CreatedOnLocalMachine=(ProcessCommandLine !contains "/do")
| where ProcessCommandLine !contains "/add" or (CreatedOnLocalMachine == 0 and ProcessCommandLine !contains "/domain")
| summarize MachineCount=dcount(DeviceName) by CreatedUser, CreatedOnLocalMachine, InitiatingProcessFileName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, DeviceName
| extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName)
| extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "")
relevantTechniques:
- T1136
id: 450f4e56-5bba-4070-b9d9-9204ba9d777d
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.0
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: DnsDomain
identifier: DnsDomain
- entityType: Process
fieldMappings:
- columnName: ProcessId
identifier: ProcessId
- columnName: ProcessCommandLine
identifier: CommandLine