heroui logo

Suspicious Manipulation Of Default Accounts Via Net.EXE

Sigma Rules

View Source
Summary
This detection rule aims to identify suspicious manipulations of default accounts in Windows operating systems, particularly those pertaining to the 'administrator' and 'guest' user accounts. Such manipulations can include enabling or disabling accounts and changing passwords, often performed through the Windows command line utility, Net.EXE. The rule focuses on capturing specific command line interactions where the user account management features of Net.EXE are utilized with potentially harmful intent. The detection logic employs a set of conditions looking for certain keywords in the command line associated with the execution of 'net.exe' or 'net1.exe'. It filters out benign operations while flagging cases where account manipulations could signal unauthorized access or account exploitation attempts. This makes it a critical alert in threat detection for environments using Windows, especially where default accounts may pose security risks if improperly handled. The rule is categorically designed for the process creation logs where Windows command line operations are logged, making it an essential tool for security analysts to monitor suspicious behavior related to user account management.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
Created: 2022-09-01