37 строки
2.0 KiB
YAML
37 строки
2.0 KiB
YAML
id: 5e76eaf9-79a7-448c-bace-28e5b53b8396
|
|
name: Summary of users created using uncommon/undocumented commandline switches
|
|
description: |
|
|
'Summarizes uses of uncommon & undocumented commandline switches to create persistence
|
|
User accounts may be created to achieve persistence on a machine.
|
|
Read more here: https://attack.mitre.org/wiki/Technique/T1136
|
|
Query for users being created using "net user" command
|
|
"net user" commands are noisy, so needs to be joined with another signal -
|
|
e.g. in this example we look for some undocumented variations (e.g. /ad instead of /add)'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- CredentialAccess
|
|
- LateralMovement
|
|
relevantTechniques:
|
|
- T1110
|
|
query: |
|
|
|
|
let timeframe = 1d;
|
|
SecurityEvent
|
|
| where TimeGenerated >= ago(timeframe)
|
|
| where EventID==4688
|
|
| project TimeGenerated, ComputerName=Computer,AccountName=SubjectUserName,
|
|
AccountDomain=SubjectDomainName, FileName=tostring(split(NewProcessName, '\\')[-1]),
|
|
ProcessCommandLine = CommandLine,
|
|
FolderPath = "", InitiatingProcessFileName=ParentProcessName,
|
|
InitiatingProcessCommandLine="",InitiatingProcessParentFileName=""
|
|
| where FileName in~ ("net.exe", "net1.exe")
|
|
| parse kind=regex flags=iU ProcessCommandLine with * "user " CreatedUser " " * "/ad"
|
|
| where not(FileName =~ "net1.exe" and InitiatingProcessFileName =~ "net.exe" and replace("net", "net1", InitiatingProcessCommandLine) =~ ProcessCommandLine)
|
|
| extend CreatedOnLocalMachine=(ProcessCommandLine !contains "/do")
|
|
| where ProcessCommandLine contains "/add" or (CreatedOnLocalMachine == 0 and ProcessCommandLine !contains "/domain")
|
|
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), MachineCount=dcount(ComputerName) by CreatedUser, CreatedOnLocalMachine, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
|
|
| extend timestamp = StartTimeUtc, AccountCustomEntity = CreatedUser
|
|
|