DEV-0270 New User Creation

(union isfuzzy=true
(SecurityEvent
| where EventID == 4688
| where CommandLine has_all ('net user', '/add') 
| parse CommandLine with * "user " username " "*
| extend password = extract(@"\buser\s+[^\s]+\s+([^\s]+)", 1, CommandLine) 
| where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394') 
| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
),
(DeviceProcessEvents 
| where InitiatingProcessCommandLine has_all('net user', '/add') 
| parse InitiatingProcessCommandLine with * "user " username " "* 
| extend password = extract(@"\buser\s+[^\s]+\s+([^\s]+)", 1, InitiatingProcessCommandLine) 
| where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394') 
| extend Account = strcat(InitiatingProcessAccountDomain, @'\', InitiatingProcessAccountName), Computer = DeviceName
)
)
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])

description: |
    'The following query tries to detect creation of a new user using a known DEV-0270 username/password schema'
kind: Scheduled
tactics:
- Persistence
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270NewUserSep2022.yaml
severity: High
name: DEV-0270 New User Creation
triggerThreshold: 0
queryPeriod: 6h
query: |
  (union isfuzzy=true
  (SecurityEvent
  | where EventID == 4688
  | where CommandLine has_all ('net user', '/add') 
  | parse CommandLine with * "user " username " "*
  | extend password = extract(@"\buser\s+[^\s]+\s+([^\s]+)", 1, CommandLine) 
  | where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394') 
  | project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
  ),
  (DeviceProcessEvents 
  | where InitiatingProcessCommandLine has_all('net user', '/add') 
  | parse InitiatingProcessCommandLine with * "user " username " "* 
  | extend password = extract(@"\buser\s+[^\s]+\s+([^\s]+)", 1, InitiatingProcessCommandLine) 
  | where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394') 
  | extend Account = strcat(InitiatingProcessAccountDomain, @'\', InitiatingProcessAccountName), Computer = DeviceName
  )
  )
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])  
relevantTechniques:
- T1098
id: 7965f0be-c039-4d18-8ee8-9a6add8aecf3
queryFrequency: 6h
status: Available
triggerOperator: gt
version: 1.0.3
tags:
- Dev-0270
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Account
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountNTDomain
    identifier: NTDomain
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: DnsDomain