PowerShell Create Local User
Detects creation of a local user via PowerShell
Sigma rule (View on GitHub)
1title: PowerShell Create Local User
2id: 243de76f-4725-4f2e-8225-a8a69b15ad61
3status: test
4description: Detects creation of a local user via PowerShell
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
7author: '@ROxPinTeddy'
8date: 2020-04-11
9modified: 2022-12-25
10tags:
11 - attack.execution
12 - attack.t1059.001
13 - attack.persistence
14 - attack.t1136.001
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection:
21 ScriptBlockText|contains: 'New-LocalUser'
22 condition: selection
23falsepositives:
24 - Legitimate user creation
25level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- HackTool - CrackMapExec Execution
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- Potential Persistence Via Powershell Search Order Hijacking - Task
- Scheduled Task Executing Encoded Payload from Registry
- Scheduled Task Executing Payload from Registry