Suspicious 'Admin' Local User Creation with Net Command
Detects creation of a local user account using the net command with 'Admin' in the name - this technique is used by Vice Society ransomware gang to create bogus user accounts that attempt to blend in with an administrative user account naming convention.
Sigma rule (View on GitHub)
1title: Suspicious 'Admin' Local User Creation with Net Command
2id: 0ce1911b-5038-4ee7-8925-013d808c6c7f
3status: experimental
4description: Detects creation of a local user account using the net command with 'Admin' in the name - this technique is used by Vice Society ransomware gang to create bogus user accounts that attempt to blend in with an administrative user account naming convention.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
7author: Micah Babinski
8date: 2022/11/28
9tags:
10 - attack.persistence
11 - attack.privilege_escalation
12 - attack.t1136.001
13 - attack.t1136
14 - attack.t1078
15 - attack.t1078.003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\net.exe'
22 CommandLine|contains:
23 - 'user'
24 - 'add'
25 - 'adm'
26 condition: selection
27falsepositives:
28 - Valid creation of local user accounts with adm in the name (should be rare)
29level: high```
References
Related rules
- Root Account Enable Via Dsenableroot
- Failed Logins with Different Accounts from Single Source System
- Failed NTLM Logins with Different Accounts from Single Source System
- HackTool - CrackMapExec Execution
- Modify User Shell Folders Startup Value