Adversaries may use uncommon or undocumented commandline switches to create user accounts as part of persistence efforts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence mechanisms and mitigate long-term access risks.
KQL Query
imProcessCreate
| where Process has_any ("net.exe", "net1.exe") // preformance pre-filtering
| extend FileName = tostring(split(Process, '\\')[-1])
| extend ActingProcessFileName= tostring(split(ActingProcessName, '\\')[-1])
| where FileName in~ ("net.exe", "net1.exe")
| parse kind=regex flags=iU CommandLine with * "user " CreatedUser " " * "/ad"
| where not(FileName =~ "net1.exe" and ActingProcessFileName =~ "net.exe" and replace("net", "net1", ActingProcessCommandLine) =~ CommandLine)
| extend CreatedOnLocalMachine=(CommandLine !has "/do")
| where CommandLine has "/add" or (CreatedOnLocalMachine == 0 and CommandLine !has "/domain")
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), MachineCount=dcount(Dvc) by CreatedUser, CreatedOnLocalMachine, ActingProcessFileName, FileName, CommandLine, ActingProcessCommandLine, EventVendor, EventProduct
| extend timestamp = StartTimeUtc, AccountCustomEntity = CreatedUser
id: 374a40ba-73fc-4d70-95ac-524b5765ffa2
name: Summary of users created using uncommon/undocumented commandline switches (Normalized Process Events)
description: |
'Summarizes uses of uncommon & undocumented commandline switches to create persistence
User accounts may be created to achieve persistence on a machine.
Read more here: https://attack.mitre.org/wiki/Technique/T1136
Query for users being created using "net user" command
"net user" commands are noisy, so needs to be joined with another signal -
e.g. in this example we look for some undocumented variations (e.g. /ad instead of /add)'
requiredDataConnectors: []
tactics:
- CredentialAccess
- LateralMovement
relevantTechniques:
- T1110
query: |
imProcessCreate
| where Process has_any ("net.exe", "net1.exe") // preformance pre-filtering
| extend FileName = tostring(split(Process, '\\')[-1])
| extend ActingProcessFileName= tostring(split(ActingProcessName, '\\')[-1])
| where FileName in~ ("net.exe", "net1.exe")
| parse kind=regex flags=iU CommandLine with * "user " CreatedUser " " * "/ad"
| where not(FileName =~ "net1.exe" and ActingProcessFileName =~ "net.exe" and replace("net", "net1", ActingProcessCommandLine) =~ CommandLine)
| extend CreatedOnLocalMachine=(CommandLine !has "/do")
| where CommandLine has "/add" or (CreatedOnLocalMachine == 0 and CommandLine !has "/domain")
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), MachineCount=dcount(Dvc) by CreatedUser, CreatedOnLocalMachine, ActingProcessFileName, FileName, CommandLine, ActingProcessCommandLine, EventVendor, EventProduct
| extend timestamp = StartTimeUtc, AccountCustomEntity = CreatedUser
| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Scenario: A system administrator is using the net user command with the /add switch to create a new user account for a temporary project.
Filter/Exclusion: Check if the user account is created by a known admin account (e.g., Administrator, Domain Admins) or if the account is associated with a documented project or service.
Scenario: A scheduled task is configured to run a script that creates a user account using net user with /add to automate user provisioning.
Filter/Exclusion: Verify if the task is owned by a service account or a known automation tool (e.g., Task Scheduler, PowerShell, Ansible) and if the account is part of a documented user lifecycle process.
Scenario: A developer is using the dsadd command (from Active Directory) to create a user in the domain, which includes command-line switches that are not commonly used.
Filter/Exclusion: Check if the command is executed from a known development or deployment tool (e.g., PowerShell, DSCMD, ADSI Edit) and if the user is part of a documented deployment or testing process.
Scenario: A system update or patching tool (e.g., Windows Update, SCCM) creates a temporary user account during the installation process using an uncommon command-line switch.
Filter/Exclusion: Validate if the process is associated with a known patching or update tool and if the user is created as part of a documented installation or configuration step.
Scenario: A backup or synchronization tool (e.g., Veeam, rsync, Robocopy) is configured to run under a service account and creates a user account using an uncommon command-line switch during setup.
Filter/Exclusion: Confirm if the account creation is part of the tool’s setup or configuration process