sigma/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml at master · SigmaHQ/sigma · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
title: Suspicious Manipulation Of Default Accounts Via Net.EXE
id: 5b768e71-86f2-4879-b448-81061cbae951
status: test
description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
references:
    - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
    - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-01
modified: 2023-02-21
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_user_option:
        CommandLine|contains: ' user '
    selection_username:
        CommandLine|contains:
            # Note: We need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag
            - ' Järjestelmänvalvoja ' # Finish
            - ' Rendszergazda ' # Hungarian
            - ' Администратор ' # Russian
            - ' Administrateur ' # French
            - ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish
            - ' Administratör ' # Swedish
            - ' Administrator ' # English
            - ' guest '
            - ' DefaultAccount '
            # The cases below are for when an attacker requests the net command via 'cmd /c....'
            # First in double quotes
            - ' "Järjestelmänvalvoja" ' # Finish
            - ' "Rendszergazda" ' # Hungarian
            - ' "Администратор" ' # Russian
            - ' "Administrateur" ' # French
            - ' "Administrador" ' # Portuguese (Brazil + Portugal) + Spanish
            - ' "Administratör" ' # Swedish
            - ' "Administrator" ' # English
            - ' "guest" '
            - ' "DefaultAccount" '
            # Second in single quotes
            - " 'Järjestelmänvalvoja' " # Finish
            - " 'Rendszergazda' " # Hungarian
            - " 'Администратор' " # Russian
            - " 'Administrateur' " # French
            - " 'Administrador' " # Portuguese (Brazil + Portugal) + Spanish
            - " 'Administratör' " # Swedish
            - " 'Administrator' " # English
            - " 'guest' "
            - " 'DefaultAccount' "
    filter:
        CommandLine|contains|all:
            - 'guest'
            - '/active no'
    condition: all of selection_* and not filter
falsepositives:
    - Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium
level: high