Local Account Created
Query
// Collect all Server IDs for filter
let Servers = DeviceInfo
| where DeviceType == 'Server'
| summarize make_set(DeviceId);
// Collect all Workstation IDs for filter
let WorkStations = DeviceInfo
| where DeviceType == 'Workstation'
| summarize make_set(DeviceId);
DeviceEvents
| where ActionType == 'UserAccountCreated'
// Extract the DeviceName without the domain name
| extend DeviceNameWithoutDomain = extract(@'(.*?)\.', 1, DeviceName)
// Filter on local additions, then the AccountDomain is equal on the
DeviceName
| where AccountDomain =~ DeviceNameWithoutDomain
// Enable filters if you want to filter specificly on servers or workstations.
// Uncomment line below for filter on workstations
//| where DeviceId in (WorkStations)
// Uncomment line below for filter on servers
//| where DeviceId in (Servers)
// Add DeviceType
| extend DeviceType = iff(DeviceId in (WorkStations), 'WorkStation', iff(DeviceId in (Servers), 'Server', 'Other'))
| project
Timestamp,
DeviceName,
DeviceType,
ActionType,
AccountDomain,
AccountName,
AccountSidAbout this query
Explanation
This query is designed to identify the creation of local user accounts on devices, which can be a sign of malicious activity. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to detect when new local user accounts are created on devices, as this can be an indicator of unauthorized access or malicious intent.
-
Context: It relates to a specific MITRE ATT&CK technique (T1136.001), which involves creating local accounts to gain access to a system without needing persistent malware.
-
Risk: Malicious actors might create local accounts and add them to the local administrator group to perform privileged actions on the system.
-
Query Details:
-
Defender XDR Version:
- It first collects IDs of devices categorized as servers and workstations.
- It then filters events where a user account was created.
- It checks if the account was created locally by comparing the account's domain with the device's name.
- Optional filters can be applied to focus on either servers or workstations.
- The output includes details like the timestamp, device name, device type, action type, account domain, account name, and account SID.
-
Sentinel Version:
- Similar to the Defender XDR version, but without the ability to filter by device type due to missing information in Sentinel.
- It focuses on listing events where local accounts are created, providing details like the time generated, device name, action type, account domain, account name, and account SID.
-
-
Usage: This query helps security teams monitor and investigate potential unauthorized account creations, which could be part of a larger attack strategy.
