Detect User Account Created Using Command-line
Description
This KQL query is aimed to detect users that are added via the command-line. Adding users via the command-line is a common technique used by adversaries to gain persistence on systems. Some examples of command-lines used by adversaries are shown below.
BAT (Batchfile)
net user username \password \domain
net user /add /domain
Risk
An attacker got access to a system and created an account for persistence.
Query
Microsoft Defender For Endpoint
Kusto
DeviceProcessEvents
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has_all ("add", "user")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine
Microsoft Sentinel
Kusto
DeviceProcessEvents
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has_all ("add", "user")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine