KQL Search

Query Details

HomeAI ToolsDevice Query

Local Account Created

Query

# Local Account Created

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1136.001 | Create Account: Local Account | https://attack.mitre.org/techniques/T1136/001/ |

#### Description
Adversaries may create local accounts to perform malicious activities. Those accounts can then be used to logon to the compromised system, without the need of persistent tools on the victims device. This query lists all the local account additions in your search window. For Defender For Endpoint the query has a filter based on the DeviceType, wheter it is a server or a workstation. The filter is not activated by default. This DeviceType is not yet supported in Sentinel, thus the query differs from the one in MDE. 

#### Risk
An actor uses a local account to perform malicious activities. Those accounts are often added to the local administrator group to perform priviliged tasks. 

#### References
- https://blog.carnal0wnage.com/2012/09/more-on-aptsim.html
- https://www.mandiant.com/resources/blog/darkside-affiliate-supply-chain-software-compromise

## Defender For Endpoint
```
// Collect all Server IDs for filter
let Servers = DeviceInfo
     | where DeviceType == 'Server'
     | summarize make_set(DeviceId);
// Collect all Workstation IDs for filter
let WorkStations = DeviceInfo
     | where DeviceType == 'Workstation'
     | summarize make_set(DeviceId);
DeviceEvents
| where ActionType == 'UserAccountCreated'
// Extract the DeviceName without the domain name
| extend DeviceNameWithoutDomain = extract(@'(.*?)\.', 1, DeviceName)
// Filter on local additions, then the AccountDomain is equal on the 
DeviceName
| where AccountDomain =~ DeviceNameWithoutDomain
// Enable filters if you want to filter specificly on servers or workstations.
// Uncomment line below for filter on workstations
//| where DeviceId in (WorkStations)
// Uncomment line below for filter on servers
//| where DeviceId in (Servers)
// Add DeviceType
| extend DeviceType = iff(DeviceId in (WorkStations), 'WorkStation', iff(DeviceId in (Servers), 'Server', 'Other'))
| project
     Timestamp,
     DeviceName,
     DeviceType,
     ActionType,
     AccountDomain,
     AccountName,
     AccountSid
```
## Sentinel
```
// Filter is not possible because the DeviceType is missing in Sentinel. For best performance use query in MDE.
DeviceEvents
| where ActionType == 'UserAccountCreated'
// Extract the DeviceName without the domain name
| extend DeviceNameWithoutDomain = extract(@'(.*?)\.', 1, DeviceName)
// Filter on local additions, then the AccountDomain is equal on the DeviceName
| where AccountDomain =~ DeviceNameWithoutDomain
| project TimeGenerated, DeviceName, ActionType, AccountDomain, AccountName, AccountSid
```

Explanation

The query is used to identify local account creations on a system. It lists all the local account additions in the search window. The query includes filters based on the device type (server or workstation) in Defender for Endpoint, but these filters are not available in Sentinel. The risk is that an actor can use a local account for malicious activities, often with elevated privileges. The query extracts the device name without the domain and filters on local additions where the account domain matches the device name. The output includes the timestamp, device name, device type, action type, account domain, account name, and account SID.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: May 10, 2023

Tables

DeviceEvents

Keywords

DeviceEvents,ActionType,UserAccountCreated,DeviceName,Domain,AccountDomain,DeviceType,DeviceId,Workstation,Server,Timestamp,AccountName,AccountSid

Operators

whereextendextractsummarizemake_setproject

Actions