Suspicious 'Admin' Local User Creation with Net Command
Detects creation of a local user account using the net command with 'Admin' in the name - this technique is used by Vice Society ransomware gang to create bogus user accounts that attempt to blend in with an administrative user account naming convention.
Sigma rule (View on GitHub)
1title: Suspicious 'Admin' Local User Creation with Net Command
2id: 0ce1911b-5038-4ee7-8925-013d808c6c7f
3status: experimental
4description: Detects creation of a local user account using the net command with 'Admin' in the name - this technique is used by Vice Society ransomware gang to create bogus user accounts that attempt to blend in with an administrative user account naming convention.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
7author: Micah Babinski
8date: 2022/11/28
9tags:
10 - attack.persistence
11 - attack.privilege_escalation
12 - attack.t1136.001
13 - attack.t1136
14 - attack.t1078
15 - attack.t1078.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\net.exe'
22 CommandLine|contains:
23 - 'user'
24 - 'add'
25 - 'adm'
26 condition: selection
27falsepositives:
28 - Valid creation of local user accounts with adm in the name (should be rare)
29level: high```
References
-
In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society.
Read More
Related rules
- Failed Logins with Different Accounts from Single Source System
- Failed NTLM Logins with Different Accounts from Single Source System
- Malicious Service Installations
- Default Account Usage
- Suspicious Commands by SQL Server