Commandline User Addition
Query
DeviceProcessEvents
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has_all ("add", "user")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLineAbout this query
Commandline User Addition
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1136.002 | Create Account: Domain Account | https://attack.mitre.org/techniques/T1136/002/ |
Description
This query is aimed to detect users that are added via the commandline. Adding users via the commandline is a common technique used by adversaries to gain persistence on systems. Some examples of commandlines used by aderveraries are shown below.
net user username \password \domain
net user /add /domain
Risk
An attacker got access to a system and created an account for persitence.
References
Defender XDR
Sentinel
DeviceProcessEvents
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has_all ("add", "user")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine
Explanation
This query is designed to detect when new user accounts are created on a system using command-line tools, specifically targeting the use of "net.exe" or "net1.exe" with commands that include "add" and "user". This is a common method used by attackers to maintain access to a system by creating new accounts. The query looks for these specific command-line activities and provides information such as the time the command was executed, the device on which it was executed, and the exact command line used. This helps in identifying potential unauthorized account creation, which is a security risk indicating that an attacker might have gained access to the system.
