Suspicious Manipulation Of Default Accounts Via Net.EXE

calendar Feb 12, 2024 · attack.collection attack.t1560.001  ·
Share on: linkedin copy

Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc

Sigma rule (View on GitHub)

 1title: Suspicious Manipulation Of Default Accounts Via Net.EXE
 2id: 5b768e71-86f2-4879-b448-81061cbae951
 3status: test
 4description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
 5references:
 6    - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
 7    - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
 8    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/09/01
11modified: 2023/02/21
12tags:
13    - attack.collection
14    - attack.t1560.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith:
21              - '\net.exe'
22              - '\net1.exe'
23        - OriginalFileName:
24              - 'net.exe'
25              - 'net1.exe'
26    selection_user_option:
27        CommandLine|contains: ' user '
28    selection_username:
29        CommandLine|contains:
30            # Note: We need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag
31            - ' Järjestelmänvalvoja ' # Finish
32            - ' Rendszergazda ' # Hungarian
33            - ' Администратор ' # Russian
34            - ' Administrateur ' # French
35            - ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish
36            - ' Administratör ' # Swedish
37            - ' Administrator ' # English
38            - ' guest '
39            - ' DefaultAccount '
40            # The cases below are for when an attacker requests the net command via 'cmd /c....'
41            # First in double quotes
42            - ' "Järjestelmänvalvoja" ' # Finish
43            - ' "Rendszergazda" ' # Hungarian
44            - ' "Администратор" ' # Russian
45            - ' "Administrateur" ' # French
46            - ' "Administrador" ' # Portuguese (Brazil + Portugal) + Spanish
47            - ' "Administratör" ' # Swedish
48            - ' "Administrator" ' # English
49            - ' "guest" '
50            - ' "DefaultAccount" '
51            # Second in single quotes
52            - " 'Järjestelmänvalvoja' " # Finish
53            - " 'Rendszergazda' " # Hungarian
54            - " 'Администратор' " # Russian
55            - " 'Administrateur' " # French
56            - " 'Administrador' " # Portuguese (Brazil + Portugal) + Spanish
57            - " 'Administratör' " # Swedish
58            - " 'Administrator' " # English
59            - " 'guest' "
60            - " 'DefaultAccount' "
61    filter:
62        CommandLine|contains|all:
63            - 'guest'
64            - '/active no'
65    condition: all of selection_* and not filter
66falsepositives:
67    - Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium
68level: high

References

Related rules

to-top