This analytic rule identifies suspicious activity relating to privileged user account creations on Cisco IOS devices, which could be indicative of an attacker setting up unauthorized access channels. Targeting commands that create user accounts with privilege level 15 (the highest possible for Cisco IOS), the rule also detects commands that modify existing user privileges. The presence of unauthorized user activities, particularly during unusual hours, raises alarms as it may signify persistence attempts following vulnerability exploitation (like CVE-2018-0171). Observations indicate that certain threat actors, such as Static Tundra, often engage in creating such accounts post-initial access, making this detection crucial for network security.