Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Manipulation Of Default Accounts Via Net.EXE

Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Sep 01Updated Tue Feb 215b768e71-86f2-4879-b448-81061cbae951windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic4 selectors
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_user_option:
        CommandLine|contains: ' user '
    selection_username:
        CommandLine|contains:
            # Note: We need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag
            - ' Järjestelmänvalvoja ' # Finish
            - ' Rendszergazda ' # Hungarian
            - ' Администратор ' # Russian
            - ' Administrateur ' # French
            - ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish
            - ' Administratör ' # Swedish
            - ' Administrator ' # English
            - ' guest '
            - ' DefaultAccount '
            # The cases below are for when an attacker requests the net command via 'cmd /c....'
            # First in double quotes
            - ' "Järjestelmänvalvoja" ' # Finish
            - ' "Rendszergazda" ' # Hungarian
            - ' "Администратор" ' # Russian
            - ' "Administrateur" ' # French
            - ' "Administrador" ' # Portuguese (Brazil + Portugal) + Spanish
            - ' "Administratör" ' # Swedish
            - ' "Administrator" ' # English
            - ' "guest" '
            - ' "DefaultAccount" '
            # Second in single quotes
            - " 'Järjestelmänvalvoja' " # Finish
            - " 'Rendszergazda' " # Hungarian
            - " 'Администратор' " # Russian
            - " 'Administrateur' " # French
            - " 'Administrador' " # Portuguese (Brazil + Portugal) + Spanish
            - " 'Administratör' " # Swedish
            - " 'Administrator' " # English
            - " 'guest' "
            - " 'DefaultAccount' "
    filter:
        CommandLine|contains|all:
            - 'guest'
            - '/active no'
    condition: all of selection_* and not filter
False Positives

Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium

References
1
Resolving title…
trellix.com
2
Resolving title…
redacted.com
3
Resolving title…
microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
5b768e71-86f2-4879-b448-81061cbae951
Status
test
Level
high
Type
Detection
Created
Thu Sep 01
Modified
Tue Feb 21
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml
Raw Tags
attack.collectionattack.t1560.001
View on GitHub