sigma-rules/rules/windows/persistence_user_account_creation.toml

[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.4.0"]
maturity = "production"
updated_date = "2020/02/18"

[rule]
author = ["Elastic"]
description = """
Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or
domain.
"""
index = ["winlogbeat-*"]
language = "kuery"
license = "Elastic License"
name = "User Account Creation"
risk_score = 21
rule_id = "1aa9181a-492b-4c01-8b16-fa0735786b2b"
severity = "low"
tags = ["Elastic", "Windows"]
type = "query"

query = '''
event.action:"Process Create (rule: ProcessCreate)" and process.name:(net.exe or net1.exe) and not process.parent.name:net.exe and process.args:(user and (/ad or /add))
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1136"
name = "Create Account"
reference = "https://attack.mitre.org/techniques/T1136/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"