some false positives could occur with the admin or guest account. it depends on the scripts being used by the admins in your env. if you experience a lot of fp you could reduce the level to medium

Techniques

Sample rules

Suspicious Manipulation Of Default Accounts Via Net.EXE

source: sigma
technicques:
- t1560
- t1560.001

Description

Detects suspicious manipulations of default accounts such as ‘administrator’ and ‘guest’. For example ’enable’ or ‘disable’ accounts or change the password…etc

Detection logic

condition: all of selection_* and not filter
filter:
  CommandLine|contains|all:
  - guest
  - /active no
selection_img:
- Image|endswith:
  - \net.exe
  - \net1.exe
- OriginalFileName:
  - net.exe
  - net1.exe
selection_user_option:
  CommandLine|contains: ' user '
selection_username:
  CommandLine|contains:
  - " J\xE4rjestelm\xE4nvalvoja "
  - ' Rendszergazda '
  - " \u0410\u0434\u043C\u0438\u043D\u0438\u0441\u0442\u0440\u0430\u0442\u043E\u0440\
    \ "
  - ' Administrateur '
  - ' Administrador '
  - " Administrat\xF6r "
  - ' Administrator '
  - ' guest '
  - ' DefaultAccount '
  - " \"J\xE4rjestelm\xE4nvalvoja\" "
  - ' "Rendszergazda" '
  - " \"\u0410\u0434\u043C\u0438\u043D\u0438\u0441\u0442\u0440\u0430\u0442\u043E\u0440\
    \" "
  - ' "Administrateur" '
  - ' "Administrador" '
  - " \"Administrat\xF6r\" "
  - ' "Administrator" '
  - ' "guest" '
  - ' "DefaultAccount" '
  - " 'J\xE4rjestelm\xE4nvalvoja' "
  - ' ''Rendszergazda'' '
  - " '\u0410\u0434\u043C\u0438\u043D\u0438\u0441\u0442\u0440\u0430\u0442\u043E\u0440\
    ' "
  - ' ''Administrateur'' '
  - ' ''Administrador'' '
  - " 'Administrat\xF6r' "
  - ' ''Administrator'' '
  - ' ''guest'' '
  - ' ''DefaultAccount'' '