Suspicious Manipulation Of Default Accounts Via Net.EXE

Severity: high
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc

MITRE ATT&CK coverage

Tactic	Techniques
Collection	`T1560.001` Archive Collected Data: Archive via Utility

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\net.exe'
Image|endswith: '\net1.exe'
OriginalFileName: net.exe
OriginalFileName: net1.exe

Stage 2: `all of selection_user_option`

CommandLine|contains: ' user '

Stage 3: `all of selection_username`

or:
CommandLine|contains: ' ''Administrador'' '
CommandLine|contains: ' ''Administrateur'' '
CommandLine|contains: ' ''Administrator'' '
CommandLine|contains: ' ''Administratör'' '
CommandLine|contains: ' ''DefaultAccount'' '
CommandLine|contains: ' ''Järjestelmänvalvoja'' '
CommandLine|contains: ' ''Rendszergazda'' '
CommandLine|contains: ' ''guest'' '
CommandLine|contains: ' ''Администратор'' '
CommandLine|contains: ' Administrador '
CommandLine|contains: ' Administrateur '
CommandLine|contains: ' Administrator '
CommandLine|contains: ' Administratör '
CommandLine|contains: ' DefaultAccount '
CommandLine|contains: ' Järjestelmänvalvoja '
CommandLine|contains: ' Rendszergazda '
CommandLine|contains: ' "Administrador" '
CommandLine|contains: ' "Administrateur" '
CommandLine|contains: ' "Administrator" '
CommandLine|contains: ' "Administratör" '
CommandLine|contains: ' "DefaultAccount" '
CommandLine|contains: ' "Järjestelmänvalvoja" '
CommandLine|contains: ' "Rendszergazda" '
CommandLine|contains: ' "guest" '
CommandLine|contains: ' "Администратор" '
CommandLine|contains: ' guest '
CommandLine|contains: ' Администратор '

Stage 4: `not filter`

CommandLine|contains: '/active no'
CommandLine|contains: guest

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`"Administrador"` `"Administrateur"` `"Administrator"` `"Administratör"` `"DefaultAccount"` `"Järjestelmänvalvoja"` `"Rendszergazda"` `"guest"` `"Администратор"` `'Administrador'` `'Administrateur'` `'Administrator'` `'Administratör'` `'DefaultAccount'` `'Järjestelmänvalvoja'` `'Rendszergazda'` `'guest'` `'Администратор'` `Administrador` `Administrateur` `Administrator` `Administratör` `DefaultAccount` `Järjestelmänvalvoja` `Rendszergazda` `guest` `user` corpus 3 (sigma 3) `Администратор` `/active no` `guest`
`Image`	ends_with	`\net.exe` corpus 27 (sigma 27) `\net1.exe` corpus 25 (sigma 25)
`OriginalFileName`	eq	`net.exe` corpus 16 (sigma 16) `net1.exe` corpus 16 (sigma 16)

Suspicious Manipulation Of Default Accounts Via Net.EXE

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: all of selection_img

Stage 2: all of selection_user_option

Stage 3: all of selection_username

Stage 4: not filter

Indicators

Stage 1: `all of selection_img`

Stage 2: `all of selection_user_option`

Stage 3: `all of selection_username`

Stage 4: `not filter`