Detection rules › Splunk
Account set to active via Net.exe (Sysmon)
Adversaries may obtain and abuse credentials of a default or disabled account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078.001 Valid Accounts: Default Accounts |
| Persistence | T1078.001 Valid Accounts: Default Accounts, T1098 Account Manipulation |
| Privilege Escalation | T1078.001 Valid Accounts: Default Accounts, T1098 Account Manipulation |
| Stealth | T1078.001 Valid Accounts: Default Accounts |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '8622.11070'
title: Account set to active via Net.exe
description: 'Adversaries may obtain and abuse credentials of a default or disabled
account as a means of gaining Initial Access, Persistence, Privilege Escalation,
or Defense Evasion. Default accounts are those that are built-into an OS, such as
the Guest or Administrator accounts on Windows systems. -- Threat Actor Association:
Unfading Sea Haze - Software Association: RansomHub -- Atomics T1078.001 Test#1
Atomics T1078.001 Test#2 Atomics T1564 Test#2'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "EventID>1<")
("/active:yes" OR "/active:y") | table _time, host, user, signature_id, process,
process_*, parent_process_*, src_ip, dest_ip, dest_port `group_events("host", 1)` '
techniques:
- privilege-escalation:valid accounts:default accounts
- persistence:account manipulation
- defense-evasion:valid accounts:default accounts
- persistence:valid accounts:default accounts
technique_id:
- T1078.001
- T1098
data_category:
- Process command-line parameters
- Windows Sysmon
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md
Stages and Predicates
Stage 1: search
search EventCode=1 source="*" source IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
Stage 2: table
table _time, dest_ip, dest_port, host, parent_process_*, process, process_*, signature_id, src_ip, user
Stage 3: bucket
bucket _time
Stage 4: stats
stats BY host, _time
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "EventID>1<" |
| 1 | "/active:yes" |
| 1 | "/active:y" |