Query Details
Commandline User Addition
Query
# Commandline User Addition
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1136.002 | Create Account: Domain Account | https://attack.mitre.org/techniques/T1136/002/ |
#### Description
This query is aimed to detect users that are added via the commandline. Adding users via the commandline is a common technique used by adversaries to gain persistence on systems. Some examples of commandlines used by aderveraries are shown below.
```PowerShell
net user username \password \domain
net user /add /domain
```
#### Risk
An attacker got access to a system and created an account for persitence.
#### References
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
## Defender For Endpoint
```KQL
DeviceProcessEvents
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has_all ("add", "user")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine
```
## Sentinel
```KQL
DeviceProcessEvents
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has_all ("add", "user")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine
```Explanation
This query is used to detect when users are added via the command line on a system. Attackers often use this technique to gain persistence. The query looks for specific command lines like "net user username \password \domain" or "net user /add /domain". If these commands are detected, it could indicate a security risk as an attacker may have created an account for persistence.
Details
Bert-Jan Pals
Released: February 28, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEvents,FileName,ProcessCommandLine,InitiatingProcessCommandLine,Timestamp,DeviceName
Operators
whereinhas_allproject