Detection rules › Kusto

DEV-0270 New User Creation

Status
available
Severity
high
Time window
6h
Source
github.com/Azure/Azure-Sentinel

The following query tries to detect creation of a new user using a known DEV-0270 username/password schema

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1098 Account Manipulation

Event coverage

Rule body kusto

id: 7965f0be-c039-4d18-8ee8-9a6add8aecf3
name: DEV-0270 New User Creation
description: | 
  'The following query tries to detect creation of a new user using a known DEV-0270 username/password schema'
severity: High 
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsSecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - DeviceProcessEvents
queryFrequency: 6h 
queryPeriod: 6h 
triggerOperator: gt 
triggerThreshold: 0 
status: Available
tactics: 
  - Persistence
relevantTechniques:
  - T1098
tags:
  - Dev-0270
query: |
  (union isfuzzy=true
  (SecurityEvent
  | where EventID == 4688
  | where CommandLine has_all ('net user', '/add') 
  | parse CommandLine with * "user " username " "*
  | extend password = extract(@"\buser\s+[^\s]+\s+([^\s]+)", 1, CommandLine) 
  | where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394') 
  | project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
  ),
  (DeviceProcessEvents 
  | where InitiatingProcessCommandLine has_all('net user', '/add') 
  | parse InitiatingProcessCommandLine with * "user " username " "* 
  | extend password = extract(@"\buser\s+[^\s]+\s+([^\s]+)", 1, InitiatingProcessCommandLine) 
  | where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394') 
  | extend Account = strcat(InitiatingProcessAccountDomain, @'\', InitiatingProcessAccountName), Computer = DeviceName
  )
  )
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: Account
      - identifier: Name
        columnName: AccountName
      - identifier: NTDomain
        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Computer
      - identifier: HostName
        columnName: HostName
      - identifier: DnsDomain
        columnName: HostNameDomain
version: 1.0.3
kind: Scheduled

Stages and Predicates

Stage 1: union

union isfuzzy=true

Stage 2: source time_window=21600s

SecurityEvent

Stage 3: where

| where EventID == 4688

Stage 4: where

| where CommandLine has_all ('net user', '/add')

Stage 5: parse

| parse CommandLine with * "user " username " "*

Stage 6: extend

| extend password = extract(@"\buser\s+[^\s]+\s+([^\s]+)", 1, CommandLine)

Stage 7: where

| where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394')

Stage 8: project

| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type

Stage 9: source

DeviceProcessEvents

Stage 10: where

| where InitiatingProcessCommandLine has_all('net user', '/add')

Stage 11: parse

| parse InitiatingProcessCommandLine with * "user " username " "*

Stage 12: extend

| extend password = extract(@"\buser\s+[^\s]+\s+([^\s]+)", 1, InitiatingProcessCommandLine)

Stage 13: where

| where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394')

Stage 14: extend

| extend Account = strcat(InitiatingProcessAccountDomain, @'\', InitiatingProcessAccountName), Computer = DeviceName

Stage 15: extend

| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))

Stage 16: extend

| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)

Stage 17: extend

| extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • /add corpus 10 (sigma 6, splunk 2, kusto 2)
  • net user
EventIDeq
  • 4688 transforms: cased corpus 312 (splunk 283, kusto 29)
InitiatingProcessCommandLinematch
  • /add corpus 10 (sigma 6, splunk 2, kusto 2)
  • net user
passwordin
  • P@ssw0rd1234
  • _AS_@1394
usernamein
  • DefaultAccount

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
Accountextend
AccountDomainproject
Activityproject
CommandLineproject
Computerextend
EventIDproject
EventSourceNameproject
ProcessNameproject
ProcessNameFullPathproject
TimeGeneratedproject
Typeproject
passwordextend
DomainIndexextend
HostNameextend
HostNameDomainextend
AccountNTDomainextend
AccountNameextend