Azure-Sentinel/Hunting Queries/SecurityEvent/persistence_create_account....

id: 5e76eaf9-79a7-448c-bace-28e5b53b8396
name: Summary of users created using uncommon/undocumented commandline switches
description: |
  'Summarizes uses of uncommon & undocumented commandline switches to create persistence
  User accounts may be created to achieve persistence on a machine.
  Read more here: https://attack.mitre.org/wiki/Technique/T1136
  Query for users being created using "net user" command
  "net user" commands are noisy, so needs to be joined with another signal -
  e.g. in this example we look for some undocumented variations (e.g. /ad instead of /add)'
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
tactics:
  - CredentialAccess
  - LateralMovement
relevantTechniques:
  - T1110
query: |

  let timeframe = 1d;
  SecurityEvent
  | where TimeGenerated >= ago(timeframe) 
  | where EventID==4688
  | project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName, 
      AccountDomain=SubjectDomainName, FileName=tostring(split(NewProcessName, '\\')[-1]), 
      ProcessCommandLine = CommandLine, 
      FolderPath = "", InitiatingProcessFileName=ParentProcessName,
      InitiatingProcessCommandLine="",InitiatingProcessParentFileName=""
  | where FileName in~ ("net.exe", "net1.exe")
  | parse kind=regex flags=iU ProcessCommandLine with * "user " CreatedUser " " * "/ad"
  | where not(FileName =~ "net1.exe" and InitiatingProcessFileName =~ "net.exe" and replace("net", "net1", InitiatingProcessCommandLine) =~ ProcessCommandLine)
  | extend CreatedOnLocalMachine=(ProcessCommandLine !contains "/do")
  | where ProcessCommandLine contains "/add" or (CreatedOnLocalMachine == 0 and ProcessCommandLine !contains "/domain")
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), MachineCount=dcount(ComputerName) by CreatedUser, CreatedOnLocalMachine, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
  | extend timestamp = StartTimeUtc, AccountCustomEntity = CreatedUser
Updating entities and putting in YAML format 2019-09-04 01:10:13 +03:00			`id: 5e76eaf9-79a7-448c-bace-28e5b53b8396`
			`name: Summary of users created using uncommon/undocumented commandline switches`
			`description: \|`
			`'Summarizes uses of uncommon & undocumented commandline switches to create persistence`
			`User accounts may be created to achieve persistence on a machine.`
			`Read more here: https://attack.mitre.org/wiki/Technique/T1136`
			`Query for users being created using "net user" command`
			`"net user" commands are noisy, so needs to be joined with another signal -`
			`e.g. in this example we look for some undocumented variations (e.g. /ad instead of /add)'`
			`requiredDataConnectors:`
			`- connectorId: SecurityEvents`
			`dataTypes:`
			`- SecurityEvent`
			`tactics:`
			`- CredentialAccess`
			`- LateralMovement`
			`relevantTechniques:`
			`- T1110`
			`query: \|`

			`let timeframe = 1d;`
			`SecurityEvent`
			`\| where TimeGenerated >= ago(timeframe)`
			`\| where EventID==4688`
			`\| project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName,`
			`AccountDomain=SubjectDomainName, FileName=tostring(split(NewProcessName, '\\')[-1]),`
			`ProcessCommandLine = CommandLine,`
			`FolderPath = "", InitiatingProcessFileName=ParentProcessName,`
			`InitiatingProcessCommandLine="",InitiatingProcessParentFileName=""`
			`\| where FileName in~ ("net.exe", "net1.exe")`
			`\| parse kind=regex flags=iU ProcessCommandLine with * "user " CreatedUser " " * "/ad"`
			`\| where not(FileName =~ "net1.exe" and InitiatingProcessFileName =~ "net.exe" and replace("net", "net1", InitiatingProcessCommandLine) =~ ProcessCommandLine)`
			`\| extend CreatedOnLocalMachine=(ProcessCommandLine !contains "/do")`
			`\| where ProcessCommandLine contains "/add" or (CreatedOnLocalMachine == 0 and ProcessCommandLine !contains "/domain")`
			`\| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), MachineCount=dcount(ComputerName) by CreatedUser, CreatedOnLocalMachine, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessCommandLine`
			`\| extend timestamp = StartTimeUtc, AccountCustomEntity = CreatedUser`