Adversaries may create new user accounts using a known DEV-0270 username and password pattern to establish persistent access within the environment. Proactively hunting for this behavior in Azure Sentinel helps identify potential credential reuse or compromised accounts early, mitigating the risk of long-term persistence and lateral movement.
KQL Query
DeviceProcessEvents
| where InitiatingProcessCommandLine has_all('net user', '/add')
| parse InitiatingProcessCommandLine with * "user " username " "*
| extend password = extract(@"\buser\s+[^\s]+\s+([^\s]+)", 1, InitiatingProcessCommandLine)
| where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394')
id: f2e7c61a-6e29-4ddf-ac2e-97eb7b37d621
name: Create new user with known DEV-0270 username and password
description: |
Search for the creation of a new user using a known DEV-0270 username/password schema.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Persistence
query: |
DeviceProcessEvents
| where InitiatingProcessCommandLine has_all('net user', '/add')
| parse InitiatingProcessCommandLine with * "user " username " "*
| extend password = extract(@"\buser\s+[^\s]+\s+([^\s]+)", 1, InitiatingProcessCommandLine)
| where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394')
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator creates a new user account for a development team using the standard username format dev-0270-<team-name> and a default password for simplicity.
Filter/Exclusion: Check for the presence of the user dev-0270-admin or dev-0270-support in the username, or filter by the source IP of the admin workstation.
Scenario: A scheduled job runs during off-hours to rotate passwords for all development users, including those following the dev-0270-<team-name> pattern.
Filter/Exclusion: Exclude events that occur during scheduled maintenance windows or filter by the job name (e.g., password_rotation_job).
Scenario: A DevOps tool like Ansible or Terraform provisions a new user for a CI/CD pipeline using a predefined username and password template.
Filter/Exclusion: Filter by the originating process or command line (e.g., ansible-playbook or terraform apply), or check for the presence of a known CI/CD tool identifier in the event.
Scenario: An internal audit tool or compliance scanner creates a temporary user with a username matching the dev-0270-<team-name> pattern to test access controls.
Filter/Exclusion: Filter by the source process name (e.g., audit_tool.exe or compliance_scanner.sh), or check for a specific flag in the user account (e.g., temporary=true).
Scenario: A user account is created by a third-party service management tool (e.g., Okta, Azure AD) for a developer, using a username that matches the dev-0270-<team-name> format.
Filter/Exclusion: Filter by the service provider (e.g., okta_user_creation