Query Details

Commandline User Addition

Query

DeviceProcessEvents
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has_all ("add", "user") 
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine

About this query

Commandline User Addition

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1136.002Create Account: Domain Accounthttps://attack.mitre.org/techniques/T1136/002/

Description

This query is aimed to detect users that are added via the commandline. Adding users via the commandline is a common technique used by adversaries to gain persistence on systems. Some examples of commandlines used by aderveraries are shown below.

net user username \password \domain
net user /add /domain

Risk

An attacker got access to a system and created an account for persitence.

References

Defender XDR

Sentinel

DeviceProcessEvents
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has_all ("add", "user") 
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine

Explanation

This query is designed to detect when new user accounts are created on a system using command-line tools, specifically targeting the use of "net.exe" or "net1.exe" with commands that include "add" and "user". This is a common method used by attackers to maintain access to a system by creating new accounts. The query looks for these specific command-line activities and provides information such as the time the command was executed, the device on which it was executed, and the exact command line used. This helps in identifying potential unauthorized account creation, which is a security risk indicating that an attacker might have gained access to the system.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessCommandlineUserAccountSystemPersistenceAdversaries

Operators

inhas_allproject

MITRE Techniques

Actions

GitHub