Detection rules › Kusto Query Language
DEV-0270 New User Creation
'The following query tries to detect creation of a new user using a known DEV-0270 username/password schema'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098 Account Manipulation |
| Privilege Escalation | T1098 Account Manipulation |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: source
<union>
Stage 2: union
union of 2 branches