Detectionmediumtest

PowerShell Create Local User

Detects creation of a local user via PowerShell

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

@roxpinteddyCreated Sat Apr 11Updated Sun Dec 25243de76f-4725-4f2e-8225-a8a69b15ad61windows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains: 'New-LocalUser'
    condition: selection

False Positives

Legitimate user creation

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

243de76f-4725-4f2e-8225-a8a69b15ad61

Status

test

Level

medium

Type

Detection

Created

Sat Apr 11

Modified

Sun Dec 25

Author

Path

rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml

Raw Tags

attack.executionattack.t1059.001attack.persistenceattack.t1136.001