Powershell LocalAccount Manipulation
Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
Sigma rule (View on GitHub)
1title: Powershell LocalAccount Manipulation
2id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c
3status: test
4description: |
5 Adversaries may manipulate accounts to maintain access to victim systems.
6 Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate
9 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
10author: frack113
11date: 2021/12/28
12tags:
13 - attack.persistence
14 - attack.t1098
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection:
21 ScriptBlockText|contains:
22 - 'Disable-LocalUser'
23 - 'Enable-LocalUser'
24 - 'Get-LocalUser'
25 - 'Set-LocalUser'
26 - 'New-LocalUser'
27 - 'Rename-LocalUser'
28 - 'Remove-LocalUser'
29 condition: selection
30falsepositives:
31 - Legitimate administrative script
32level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
This section contains the help topics for the Local Accounts cmdlets in Windows PowerShell. Note This module is not available in 32-bit PowerShell on a 64-bit system.
Read More
Related rules
- Cisco Local Accounts
- Password Change on Directory Service Restore Mode (DSRM) Account
- Code Executed Via Office Add-in XLL File
- Creation Exe for Service with Unquoted Path
- Manipulation of User Computer or Group Security Principals Across AD