Detection rules › Splunk
Account set to active via Net.exe (EDR)
Adversaries may obtain and abuse credentials of a default or disabled account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078.001 Valid Accounts: Default Accounts |
| Persistence | T1078.001 Valid Accounts: Default Accounts, T1098 Account Manipulation |
| Privilege Escalation | T1078.001 Valid Accounts: Default Accounts, T1098 Account Manipulation |
| Stealth | T1078.001 Valid Accounts: Default Accounts |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '8622.13200'
title: Account set to active via Net.exe
description: 'Adversaries may obtain and abuse credentials of a default or disabled
account as a means of gaining Initial Access, Persistence, Privilege Escalation,
or Defense Evasion. Default accounts are those that are built-into an OS, such as
the Guest or Administrator accounts on Windows systems. -- Threat Actor Association:
Unfading Sea Haze - Software Association: RansomHub -- Atomics T1078.001 Test#1
Atomics T1078.001 Test#2 Atomics T1564 Test#2'
logic_format: Splunk
logic: ' `get_endpoint_data` `get_endpoint_data_edr` ((event_type IN ("childproc","netconn","proc"))
OR (TERM(ProcessRollup2) OR Type=Process) OR TERM(DeviceProcessEvents)) ("/active:yes"
OR "/active:y") | table _time, host, user, signature_id, process, process_*, parent_process_*,
src_ip, dest_ip, dest_port `group_events("host", 1)` `hec_collect`'
techniques:
- privilege-escalation:valid accounts:default accounts
- persistence:account manipulation
- defense-evasion:valid accounts:default accounts
- persistence:valid accounts:default accounts
technique_id:
- T1078.001
- T1098
data_category:
- EDR Logs
- Process command-line parameters
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md
Stages and Predicates
Stage 1: search
search (Type="Process" OR event_type IN ("childproc", "netconn", "proc")) source="*" source IN ("*crowdstrike*", "*defender*", "*sentinelone*")
Stage 2: table
table _time, dest_ip, dest_port, host, parent_process_*, process, process_*, signature_id, src_ip, user
Stage 3: bucket
bucket _time
Stage 4: stats
stats BY host, _time
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event_type | in |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | ProcessRollup2 |
| 1 | TERM |
| 1 | DeviceProcessEvents |
| 1 | "/active:yes" |
| 1 | "/active:y" |