Windows User Account Creation via Net.exe

Attackers may create new accounts (both local and domain) to maintain access to victim systems. This rule identifies the usage of net.exe to create new accounts on Windows systems. The detection logic focuses on process execution events where net.exe or net1.exe are executed with arguments indicative of user creation, specifically the ‘user’ argument in conjunction with either the ‘/ad’ or ‘/add’ flags. While account creation is a common administrative task, suspicious executions, especially those initiated by unusual parent processes or accounts, warrant further investigation. This rule is designed for data generated by Elastic Defend but also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel, enhancing its applicability across various security environments.

Attack Chain

1. An attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using stolen credentials.
2. The attacker opens a command prompt or PowerShell session.
3. The attacker uses net.exe or net1.exe to create a new user account. The command includes the user argument along with /add or /ad flags. For example: net user <username> <password> /add.
4. The attacker may add the newly created user to privileged groups, such as Administrators or Domain Admins, to elevate privileges.
5. The attacker uses the new account to move laterally within the network, accessing sensitive data or systems.
6. The attacker establishes persistence by configuring the new account to be a service account or adding it to local administrator groups.

Impact

Successful exploitation can lead to unauthorized access to sensitive data, lateral movement within the network, and long-term persistence on compromised systems. The impact is often determined by the privileges assigned to the newly created account. If the attacker adds the account to the Administrators group, they can effectively take full control of the affected system. In a domain environment, creating a domain account can lead to wider compromise across the entire network.

Recommendation

• Enable Sysmon process-creation logging to capture the necessary events for the rules below.
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
• Investigate any instances of net.exe or net1.exe creating user accounts, especially when initiated by unusual parent processes.
• Monitor for newly created accounts being added to privileged groups.
• Review the triage and analysis steps in the rule’s original documentation for guidance on investigating and responding to potential incidents.