LoFP LoFP / t1136

t1136

TitleTags
a group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
admin activity
administrative activity
administrator or network operator can execute this command. please update the filter macros to remove false positives.
administrators may legitimately create azure automation accounts. filter as needed.
administrators may legitimately create azure automation runbooks. filter as needed.
administrators often leverage net.exe to create admin accounts.
an rds security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
better use event ids for user creation rather than command line rules.
domain controller logs
if the behavior of creating okta api tokens is expected, consider adding exceptions to this rule to filter false positives.
it is possible that an administrator created and deleted an account in a short time period. verifying activity with an administrator is advised.
it is possible that an administrator created the account. verifying activity with an administrator is advised. this analytic is set to anomaly to allow for risk to be added. filter and tune as needed. restrict to critical infrastructure to reduce any volume.
legitimate administration activities
legitimate administrative script
legitimate local user creations may be done by a system or network administrator. verify whether this is known behavior in your environment. local user creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
legitimate user creation.
local accounts managed by privileged account management tools
organization approved new members
service accounts can be created by system administrators. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.
the activity may be legitimate. for this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. if your local administrator group name is not \"administrators\", this search may generate an excessive number of false positives
the creation of a new federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
the creation of a new federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.
the creation of a new federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.
unlikely
when remote authentication is in place, this should not change often
while this search has no known false positives, it is possible that an aws admin has legitimately created a login profile for another user.