{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/account-creation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FileBrowser (all versions supporting proxy authentication)"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","web-vulnerability","privilege-escalation","file-browser","account-creation"],"_cs_type":"advisory","_cs_vendors":["FileBrowser"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability affects FileBrowser instances configured to use proxy authentication (\u003ccode\u003eauth.method=proxy\u003c/code\u003e) where the application server is directly exposed to untrusted networks. This allows any unauthenticated attacker to impersonate any existing user, including the administrator, by simply sending a forged \u003ccode\u003eX-Remote-User\u003c/code\u003e HTTP header during a POST request to the \u003ccode\u003e/api/login\u003c/code\u003e endpoint. Additionally, specifying a non-existent username in the forged header causes FileBrowser to automatically create a new user account with default permissions, providing an account creation primitive without authorization. This vulnerability stems from FileBrowser unconditionally trusting the \u003ccode\u003eX-Remote-User\u003c/code\u003e header without any origin validation or password verification, a behavior present across all versions that support this authentication method. This is a common misconfiguration for organizations using reverse proxies for SSO/LDAP/OAuth. Successful exploitation grants full administrative control over the FileBrowser instance and access to all hosted files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a FileBrowser instance configured with \u003ccode\u003eauth.method=proxy\u003c/code\u003e that is directly reachable (i.e., not exclusively behind a trusted reverse proxy).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request to the \u003ccode\u003e/api/login\u003c/code\u003e endpoint, including a forged HTTP header, typically \u003ccode\u003eX-Remote-User\u003c/code\u003e, set to a target username such as \u003ccode\u003eadmin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFileBrowser's \u003ccode\u003eProxyAuth.Auth()\u003c/code\u003e function receives the request and extracts the username from the \u003ccode\u003eX-Remote-User\u003c/code\u003e header, implicitly trusting its value without any origin validation (e.g., checking trusted IP addresses) or cryptographic verification.\u003c/li\u003e\n\u003cli\u003eIf the specified username exists, FileBrowser retrieves the corresponding user object from its internal user store. If the username does not exist, the \u003ccode\u003ecreateUser()\u003c/code\u003e function is automatically invoked, creating a new user account with default permissions and a locked, random password.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eloginHandler\u003c/code\u003e proceeds to mint a valid JSON Web Token (JWT) for the impersonated or newly created user. This JWT contains the full permissions of the target user, including administrator privileges if \u003ccode\u003eadmin\u003c/code\u003e was specified.\u003c/li\u003e\n\u003cli\u003eThe attacker receives this valid JWT and uses it in subsequent HTTP requests by including it in the \u003ccode\u003eX-Auth\u003c/code\u003e header to interact with privileged endpoints (e.g., \u003ccode\u003e/api/settings\u003c/code\u003e, \u003ccode\u003e/api/users\u003c/code\u003e) or access specific user resources (e.g., \u003ccode\u003e/api/resources/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full administrative control over the FileBrowser instance, allowing modification of server settings, enumeration of all user accounts, and unauthorized access to all files and data within the application's scope.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to complete compromise of the FileBrowser instance. Attackers gain full administrative control, allowing them to modify server configurations, create, delete, or modify files, and access sensitive data stored within the FileBrowser environment. This also enables the creation of arbitrary user accounts without authorization, potentially leading to further persistence or resource exhaustion. Organizations deploying FileBrowser behind reverse proxies, especially those exposing the application's port directly to an untrusted network (e.g., due to Docker container defaults or misconfigured cloud security groups), are at high risk of data breach and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eRestrict direct access:\u003c/strong\u003e Configure network firewalls or security groups to ensure the FileBrowser application is only accessible by trusted reverse proxies, preventing direct access from untrusted networks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview logging\u003c/strong\u003e: Deploy the provided Sigma rule to detect POST requests to \u003ccode\u003e/api/login\u003c/code\u003e containing the \u003ccode\u003eX-Remote-User\u003c/code\u003e header. Ensure web server logs capture the \u003ccode\u003eX-Remote-User\u003c/code\u003e HTTP header for effective detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUpdate configuration:\u003c/strong\u003e If direct exposure is unavoidable, consider switching \u003ccode\u003eauth.method\u003c/code\u003e from \u003ccode\u003eproxy\u003c/code\u003e to \u003ccode\u003ejson\u003c/code\u003e and implementing alternative, more secure authentication mechanisms at the application layer or within a properly secured reverse proxy setup.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement trusted proxy validation:\u003c/strong\u003e If using \u003ccode\u003eauth.method=proxy\u003c/code\u003e is essential, implement stringent trusted proxy validation at the network layer or enhance FileBrowser with origin validation checks (e.g., by contributing a patch to verify \u003ccode\u003er.RemoteAddr\u003c/code\u003e against a list of trusted IPs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T19:37:06Z","date_published":"2026-07-10T19:37:06Z","id":"https://feed.craftedsignal.io/briefs/2026-07-filebrowser-auth-bypass/","summary":"An unauthenticated attacker can impersonate any user, including administrators, or automatically create new user accounts in FileBrowser by forging the `X-Remote-User` HTTP header when the server is configured for proxy authentication and is directly reachable, leading to full administrative control and unauthorized access to data.","title":"FileBrowser Authentication Bypass via Forged Proxy Authentication Header","url":"https://feed.craftedsignal.io/briefs/2026-07-filebrowser-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2024-7593"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Ivanti Virtual Traffic Manager"],"_cs_severities":["critical"],"_cs_tags":["ivanti","cve-2024-7593","authentication-bypass","account-creation"],"_cs_type":"advisory","_cs_vendors":["Ivanti"],"content_html":"\u003cp\u003eCVE-2024-7593 is an authentication bypass vulnerability affecting Ivanti Virtual Traffic Manager (vTM), a widely used application delivery controller. This vulnerability allows unauthenticated remote attackers to bypass the admin panel's authentication mechanisms and create new administrator accounts. Exploitation of this flaw enables attackers to gain complete control over the Ivanti vTM instance, potentially disrupting services, intercepting traffic, and compromising sensitive data. Public proof-of-concept exploit code exists, increasing the likelihood of widespread exploitation. Successful exploitation can lead to a complete compromise of the vTM instance and the services it manages. The targets are organizations using vulnerable versions of Ivanti vTM, which are primarily web-facing applications requiring load balancing and traffic management.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP request to the Ivanti vTM admin panel, exploiting CVE-2024-7593 to bypass authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the authentication bypass to gain unauthorized access to the vTM admin interface.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exposed administrative functionality to create a new user account with \u0026quot;admin\u0026quot; privileges via the 'adduser' operation.\u003c/li\u003e\n\u003cli\u003eThe new administrator account lacks expected authentication details in the vTM audit logs, specifically showing IP=\u0026quot;!!ABSENT!!\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe attacker logs in to the Ivanti vTM admin panel using the newly created administrator account.\u003c/li\u003e\n\u003cli\u003eOnce authenticated, the attacker configures the vTM instance to redirect traffic to attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts sensitive data, including credentials and session tokens, from the redirected traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised data to gain access to backend systems and escalate their access within the network, potentially leading to data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-7593 allows attackers to gain full administrative control over affected Ivanti vTM instances. This can result in service disruption, data interception, and complete compromise of the applications managed by the vTM. Organizations in various sectors utilizing Ivanti vTM for critical application delivery are at risk. The creation of rogue administrator accounts can lead to unauthorized configuration changes, potentially impacting hundreds or thousands of users accessing web applications. A successful attack can lead to significant financial losses, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eIvanti VTM New Account Creation\u003c/code\u003e to detect unauthorized administrator account creation attempts based on the absence of IP addresses in the audit logs.\u003c/li\u003e\n\u003cli\u003eEnsure Ivanti vTM audit logs are properly ingested and monitored, focusing on events with \u003ccode\u003eOPERATION=\u0026quot;adduser\u0026quot;\u003c/code\u003e and \u003ccode\u003eMODGROUP=\u0026quot;admin\u0026quot;\u003c/code\u003e as described in the detection rule.\u003c/li\u003e\n\u003cli\u003eReview existing Ivanti vTM accounts and configurations for any unauthorized changes or additions that may indicate prior compromise.\u003c/li\u003e\n\u003cli\u003eApply the security patches provided by Ivanti to address CVE-2024-7593 on all affected vTM instances. Refer to the Ivanti security advisory for patch availability.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to limit the potential impact of a compromised vTM instance, mitigating lateral movement as described in the attack chain.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eIvanti VTM New Account Creation\u003c/code\u003e Sigma rule, correlating with other security events to identify potentially compromised systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-07-ivanti-vtm-account-creation/","summary":"Unauthenticated remote attackers are exploiting CVE-2024-7593 in Ivanti Virtual Traffic Manager (vTM) to bypass authentication and create new administrator accounts, potentially leading to full system compromise.","title":"Ivanti VTM Administrator Account Creation via CVE-2024-7593","url":"https://feed.craftedsignal.io/briefs/2024-07-ivanti-vtm-account-creation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["persistence","account-creation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may create new accounts (both local and domain) to maintain access to victim systems. This is often done after initial compromise to ensure continued access even if initial entry points are closed. This rule identifies the usage of \u003ccode\u003enet.exe\u003c/code\u003e (and \u003ccode\u003enet1.exe\u003c/code\u003e) to create new accounts on Windows systems. The rule specifically looks for the \u003ccode\u003euser\u003c/code\u003e and \u003ccode\u003e/add\u003c/code\u003e parameters in the command line arguments. The timeframe analyzed is the last 9 minutes based on the \u003ccode\u003efrom\u003c/code\u003e field in the original rule. This activity, while potentially legitimate, warrants investigation due to its potential for malicious use by threat actors aiming for persistence. The detection logic excludes scenarios where the parent process is also \u003ccode\u003enet.exe\u003c/code\u003e to reduce noise from legitimate administrative tasks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through exploitation of a vulnerability or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enet.exe\u003c/code\u003e with the \u003ccode\u003euser\u003c/code\u003e and \u003ccode\u003e/add\u003c/code\u003e arguments to create a new local or domain user account.\u003c/li\u003e\n\u003cli\u003eThe new user account is configured with specific privileges, potentially adding it to local administrator groups.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created account to log into the system, bypassing existing security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the new account to install malware or other malicious tools on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by adding the newly created account to startup programs or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the persistent access to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their ultimate objective, such as data exfiltration or ransomware deployment, leveraging the established persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful creation of malicious user accounts can lead to persistent access within a compromised environment. While this event may be legitimate, unauthorized account creation can allow attackers to maintain access to systems even after initial vulnerabilities are patched or detected. Depending on the privileges granted to the created account, the impact can range from limited access to complete control over the compromised system and potentially the entire domain. This can facilitate data theft, disruption of services, or the deployment of ransomware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Windows User Account Creation via net.exe\u003c/code\u003e to your SIEM to detect suspicious account creation attempts.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to ensure the necessary data is available for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate all instances flagged by the Sigma rule, paying close attention to the parent processes and the context of the account creation.\u003c/li\u003e\n\u003cli\u003eCorrelate detected events with other suspicious activities on the host or network to identify potentially compromised systems.\u003c/li\u003e\n\u003cli\u003eReview existing account creation policies and procedures to ensure they are adequate and enforced.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all user accounts to mitigate the risk of unauthorized access.\u003c/li\u003e\n\u003cli\u003eMonitor security logs from Windows Security Event Logs for event IDs related to account creation (4720, 4722, 4723, 4724, 4725).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-user-account-creation/","summary":"Attackers may create new accounts on Windows systems using `net.exe` to maintain access and establish persistence, which this detection identifies.","title":"Windows User Account Creation via net.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-09-user-account-creation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco ASA"],"_cs_severities":["medium"],"_cs_tags":["cisco-asa","account-creation","persistence"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic detects the creation of new user accounts on Cisco ASA devices via CLI or ASDM. Adversaries may create unauthorized user accounts to establish persistence, maintain backdoor access, or elevate privileges on network infrastructure devices. These rogue accounts can provide attackers with continued access even after initial compromise vectors are remediated. The detection monitors for ASA message ID 502101, which is generated whenever a new user account is created on the device, capturing details including the username, privilege level, and the administrator who created the account. The source material was published by Splunk on 2026-04-17, highlighting the continued relevance of this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the Cisco ASA device via compromised credentials or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the ASA device using the gained access.\u003c/li\u003e\n\u003cli\u003eAttacker executes commands to create a new local user account using the CLI or ASDM interface.\u003c/li\u003e\n\u003cli\u003eThe ASA device generates syslog message ID 502101, indicating the new account creation, which includes the username, privilege level, and creating administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns a high privilege level (e.g., level 15) to the new account.\u003c/li\u003e\n\u003cli\u003eAttacker uses the newly created account to maintain persistent access to the ASA device.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the persistent access to perform reconnaissance, modify configurations, or disrupt network operations.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a backdoor for future access, bypassing normal authentication mechanisms.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to the network infrastructure, allowing attackers to modify configurations, intercept traffic, or disrupt services. This can result in data breaches, denial of service, and significant financial and reputational damage. While the specific number of victims or targeted sectors isn't available, the impact is significant for any organization relying on Cisco ASA devices for network security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure Cisco ASA devices are configured to generate and forward syslog message ID 502101 to a SIEM for monitoring to enable the provided detections.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eCisco ASA - New Local User Account Created\u003c/code\u003e to detect suspicious account creation activities.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, paying close attention to accounts with elevated privileges (level 15) and those created outside of normal business hours.\u003c/li\u003e\n\u003cli\u003eReview existing user accounts on Cisco ASA devices regularly, looking for any unauthorized or suspicious accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-04-cisco-asa-account-creation/","summary":"Detection of new user account creations on Cisco ASA devices, potentially indicating unauthorized access or persistence attempts by adversaries.","title":"Cisco ASA - New Local User Account Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-04-cisco-asa-account-creation/"}],"language":"en","title":"CraftedSignal Threat Feed - Account-Creation","version":"https://jsonfeed.org/version/1.1"}