Sample rules
New User Created Via Net.EXE
- source: sigma
- technicques:
- t1136
- t1136.001
Description
Identifies the creation of local users via the net.exe command.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- user
- add
selection_img:
- Image|endswith:
- \net.exe
- \net1.exe
- OriginalFileName:
- net.exe
- net1.exe
PowerShell Create Local User
- source: sigma
- technicques:
- t1059
- t1059.001
- t1136
- t1136.001
Description
Detects creation of a local user via PowerShell
Detection logic
condition: selection
selection:
ScriptBlockText|contains: New-LocalUser