DarkGate - User Created Via Net.EXE
Detects creation of local users via the net.exe command with the name of "DarkGate"
Sigma rule (View on GitHub)
1title: DarkGate - User Created Via Net.EXE
2id: bf906d7b-7070-4642-8383-e404cf26eba5
3status: test
4description: Detects creation of local users via the net.exe command with the name of "DarkGate"
5references:
6 - Internal Research
7author: X__Junior (Nextron Systems)
8date: 2023-08-27
9modified: 2023-10-15
10tags:
11 - attack.persistence
12 - attack.t1136.001
13 - detection.emerging-threats
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 # /c net user /add SafeMode DarkGate0!
19 selection:
20 Image|endswith:
21 - '\net.exe'
22 - '\net1.exe'
23 CommandLine|contains|all:
24 - 'user'
25 - 'add'
26 - 'DarkGate'
27 - 'SafeMode'
28 condition: selection
29falsepositives:
30 - Unlikely
31level: high
References
Related rules
- Serv-U Exploitation CVE-2021-35211 by DEV-0322
- ChromeLoader Malware Execution
- Diamond Sleet APT Scheduled Task Creation
- Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
- Serpent Backdoor Payload Execution Via Scheduled Task