{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/user-account-creation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["persistence","user-account-creation","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may create new accounts (both local and domain) to maintain access to victim systems. This rule identifies the usage of \u003ccode\u003enet.exe\u003c/code\u003e to create new accounts on Windows systems. The detection logic focuses on process execution events where \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e are executed with arguments indicative of user creation, specifically the \u0026lsquo;user\u0026rsquo; argument in conjunction with either the \u0026lsquo;/ad\u0026rsquo; or \u0026lsquo;/add\u0026rsquo; flags. While account creation is a common administrative task, suspicious executions, especially those initiated by unusual parent processes or accounts, warrant further investigation. This rule is designed for data generated by Elastic Defend but also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel, enhancing its applicability across various security environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker opens a command prompt or PowerShell session.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e to create a new user account. The command includes the \u003ccode\u003euser\u003c/code\u003e argument along with \u003ccode\u003e/add\u003c/code\u003e or \u003ccode\u003e/ad\u003c/code\u003e flags. For example: \u003ccode\u003enet user \u0026lt;username\u0026gt; \u0026lt;password\u0026gt; /add\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker may add the newly created user to privileged groups, such as \u003ccode\u003eAdministrators\u003c/code\u003e or \u003ccode\u003eDomain Admins\u003c/code\u003e, to elevate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the new account to move laterally within the network, accessing sensitive data or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by configuring the new account to be a service account or adding it to local administrator groups.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, lateral movement within the network, and long-term persistence on compromised systems. The impact is often determined by the privileges assigned to the newly created account. If the attacker adds the account to the \u003ccode\u003eAdministrators\u003c/code\u003e group, they can effectively take full control of the affected system. In a domain environment, creating a domain account can lead to wider compromise across the entire network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the necessary events for the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003enet.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e creating user accounts, especially when initiated by unusual parent processes.\u003c/li\u003e\n\u003cli\u003eMonitor for newly created accounts being added to privileged groups.\u003c/li\u003e\n\u003cli\u003eReview the triage and analysis steps in the rule\u0026rsquo;s original documentation for guidance on investigating and responding to potential incidents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-user-account-creation/","summary":"This rule identifies attempts to create new users on Windows systems using net.exe, a common tactic used by attackers to increase access or establish persistence.","title":"Windows User Account Creation via Net.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-user-account-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — User-Account-Creation","version":"https://jsonfeed.org/version/1.1"}