title: Cisco Local Accounts
id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
status: test
description: Find local accounts being created or modified as well as remote authentication configurations
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1136.001
    - attack.t1098
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'username'
        - 'aaa'
    condition: keywords
falsepositives:
    - When remote authentication is in place, this should not change often
level: high

title: Creation of a Local Hidden User Account by Registry
id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
status: test
description: Sysmon registry detection of a local hidden user account.
references:
    - https://twitter.com/SBousseaden/status/1387530414185664538
author: Christian Burkard (Nextron Systems)
date: 2021-05-03
modified: 2025-10-31
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    product: windows
    category: registry_event
detection:
    selection:
        TargetObject|contains: '\SAM\SAM\Domains\Account\Users\Names\'
        TargetObject|endswith: '$\(Default)'
        Image|endswith: '\lsass.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml
simulation:
    - type: atomic-red-team
      name: Create Hidden User in Registry
      technique: T1564.002
      atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c

title: Hidden Local User Creation
id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
status: test
description: Detects the creation of a local hidden user account which should not happen for event ID 4720.
references:
    - https://twitter.com/SBousseaden/status/1387743867663958021
author: Christian Burkard (Nextron Systems)
date: 2021-05-03
modified: 2024-01-16
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4720
        TargetUserName|endswith: '$'
    filter_main_homegroup:
        TargetUserName: 'HomeGroupUser$'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: New User Created Via Net.EXE With Never Expire Option
id: b9f0e6f5-09b4-4358-bae4-08408705bd5c
related:
    - id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
      type: derived
status: test
description: Detects creation of local users via the net.exe command with the option "never expire"
references:
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2023-02-21
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'user'
            - 'add'
            - 'expires:never'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: Privileged User Has Been Created
id: 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e
status: test
description: Detects the addition of a new user to a privileged group such as "root" or "sudo"
references:
    - https://digital.nhs.uk/cyber-alerts/2018/cc-2825
    - https://linux.die.net/man/8/useradd
    - https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid
author: Pawel Mazur
date: 2022-12-21
modified: 2025-01-21
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1136.001
    - attack.t1098
logsource:
    product: linux
    definition: '/var/log/secure on REHL systems or /var/log/auth.log on debian like Systems needs to be collected in order for this detection to work'
detection:
    # Example of the events that could be observed when matching these would be as follow
    #   Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash
    #   Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash
    #   Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash
    #   Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash
    selection_new_user:
        - 'new user'
    selection_uids_gids:
        - 'GID=0,' # root group
        - 'UID=0,' # root UID
        - 'GID=10,' # wheel group
        - 'GID=27,' # sudo group
    condition: all of selection_*
falsepositives:
    - Administrative activity
level: high

title: Suspicious Windows ANONYMOUS LOGON Local Account Created
id: 1bbf25b9-8038-4154-a50b-118f2a32be27
status: test
description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
references:
    - https://twitter.com/SBousseaden/status/1189469425482829824
author: James Pemberton / @4A616D6573
date: 2019-10-31
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.t1136.001
    - attack.t1136.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4720
        SamAccountName|contains|all:
            - 'ANONYMOUS'
            - 'LOGON'
    condition: selection
falsepositives:
    - Unknown
level: high

title: User Added to Remote Desktop Users Group
id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
related:
    - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
      type: similar
    - id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
      type: similar
status: test
description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
references:
    - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
author: Florian Roth (Nextron Systems)
date: 2021-12-06
modified: 2022-09-09
tags:
    - attack.initial-access
    - attack.persistence
    - attack.lateral-movement
    - attack.t1133
    - attack.t1136.001
    - attack.t1021.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_main:
        - CommandLine|contains|all:
              - 'localgroup '
              - ' /add'
        - CommandLine|contains|all:
              - 'Add-LocalGroupMember '
              - ' -Group '
    selection_group:
        CommandLine|contains:
            - 'Remote Desktop Users'
            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
    condition: all of selection_*
falsepositives:
    - Administrative activity
level: high

title: Creation Of An User Account
id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
references:
    - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files
    - https://access.redhat.com/articles/4409591#audit-record-types-2
    - https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07
author: Marie Euler, Pawel Mazur
date: 2020-05-18
modified: 2022-12-20
tags:
    - attack.t1136.001
    - attack.persistence
logsource:
    product: linux
    service: auditd
detection:
    selection_syscall_record_type:
        type: 'SYSCALL'
        exe|endswith: '/useradd'
    selection_add_user_record_type:
        type: 'ADD_USER' # This is logged without having to configure audit rules on both Ubuntu and Centos
    condition: 1 of selection_*
falsepositives:
    - Admin activity
level: medium

title: FortiGate - New Administrator Account Created
id: cd0a4943-0edd-42cf-b50c-06f77a10d4c1
status: experimental
description: Detects the creation of an administrator account on a Fortinet FortiGate Firewall.
references:
    - https://www.fortiguard.com/psirt/FG-IR-24-535
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    product: fortigate
    service: event
detection:
    selection:
        action: 'Add'
        cfgpath: 'system.admin'
    condition: selection
falsepositives:
    - An administrator account can be created for legitimate purposes. Investigate the account details to determine if it is authorized.
level: medium

title: FortiGate - New Local User Created
id: ddbbe845-1d74-43a8-8231-2156d180234d
status: experimental
description: |
    Detects the creation of a new local user on a Fortinet FortiGate Firewall.
    The new local user could be used for VPN connections.
references:
    - https://www.fortiguard.com/psirt/FG-IR-24-535
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event
    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/109120963/config-user-local
    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr
author: Marco Pedrinazzi @pedrinazziM (InTheCyber)
date: 2025-11-01
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    product: fortigate
    service: event
detection:
    selection:
        action: 'Add'
        cfgpath: 'user.local'
    condition: selection
falsepositives:
    - A local user can be created for legitimate purposes. Investigate the user details to determine if it is authorized.
level: medium

title: New User Created Via Net.EXE
id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
related:
    - id: b9f0e6f5-09b4-4358-bae4-08408705bd5c
      type: similar
status: test
description: Identifies the creation of local users via the net.exe command.
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
date: 2018-10-30
modified: 2023-02-21
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'user'
            - 'add'
    condition: all of selection_*
falsepositives:
    - Legitimate user creation.
    - Better use event IDs for user creation rather than command line rules.
level: medium

title: PowerShell Create Local User
id: 243de76f-4725-4f2e-8225-a8a69b15ad61
status: test
description: Detects creation of a local user via PowerShell
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
author: '@ROxPinTeddy'
date: 2020-04-11
modified: 2022-12-25
tags:
    - attack.execution
    - attack.t1059.001
    - attack.persistence
    - attack.t1136.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: 'New-LocalUser'
    condition: selection
falsepositives:
    - Legitimate user creation
level: medium

title: Creation Of A Local User Account
id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
    - https://ss64.com/osx/sysadminctl.html
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2023-02-18
tags:
    - attack.t1136.001
    - attack.persistence
logsource:
    category: process_creation
    product: macos
detection:
    selection_dscl:
        Image|endswith: '/dscl'
        CommandLine|contains: 'create'
    selection_sysadminctl:
        Image|endswith: '/sysadminctl'
        CommandLine|contains: 'addUser'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administration activities
level: low

title: Local User Creation
id: 66b6be3d-55d0-4f47-9855-d69df21740ea
status: test
description: |
    Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
references:
    - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
author: Patrick Bareiss
date: 2019-04-18
modified: 2021-01-17
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4720
    condition: selection
falsepositives:
    - Domain Controller Logs
    - Local accounts managed by privileged account management tools
level: low