Adversary uses built-in tools like 'net user /add', PowerShell, or WMI to create a local user. Sequence: Account creation event (4720) follows process creation of a suspicious executable (e.g., powershell.exe or net.exe).
| Data Component | Name | Channel |
|---|---|---|
| User Account Creation (DC0014) | WinEventLog:Security | EventCode=4720 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| ParentProcessName | Attackers may use cmd.exe, wscript.exe, or renamed binaries to evade detection |
| TimeWindow | Define time threshold between process start and user creation event (e.g., 5s–2m) |
| UserContext | Correlate if process runs under SYSTEM, Administrator, or untrusted account |
Local user accounts are created via binaries like 'useradd', 'adduser', or by editing passwd/shadow. Behavior chain includes execution of user management binaries or modification of user database files.
| Data Component | Name | Channel |
|---|---|---|
| User Account Creation (DC0014) | auditd:SYSCALL | useradd or adduser executed |
| File Modification (DC0061) | auditd:SYSCALL | write operation on /etc/passwd or /etc/shadow |
| Field | Description |
|---|---|
| BinaryPath | Account creation may be scripted via shell scripts, cron jobs, or remote shells |
| ExecutionSource | Flag if commands are issued from remote sessions (e.g., sshd) |
Account creation using 'dscl -create' or via GUI tools. Detection involves command execution and file changes to the local directory services database.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | dscl -create |
| File Modification (DC0061) | macos:unifiedlog | modification to /var/db/dslocal/nodes/Default/users/ |
| Field | Description |
|---|---|
| UsernamePattern | Accounts like 'svc*', 'backup*' may blend into legit naming patterns |
| SessionOrigin | Identify if dscl was run locally, via ARD, or Terminal.app |
Account created using esxcli commands. Sequence includes esxcli execution and successful modification to account DB.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:vmkernel | esxcli system account add |
| Field | Description |
|---|---|
| CommandOrigin | Console sessions vs SSH vs vSphere CLI session may affect alert fidelity |
Account created in a running container (e.g., via 'useradd' or by modifying /etc/passwd directly). Detectable via runtime telemetry (e.g., Falco or eBPF hooks).
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | ebpf:syscalls | useradd or /etc/passwd modified inside container |
| Field | Description |
|---|---|
| ContainerContext | Distinguish between ephemeral containers and long-lived service containers |
| NamespaceScope | Determine if account was added inside host, user, or PID namespace |
Account created via CLI using 'username' command or REST API. Detectable through AAA logging or CLI history telemetry.
| Data Component | Name | Channel |
|---|---|---|
| User Account Creation (DC0014) | networkdevice:syslog | username |
| Field | Description |
|---|---|
| PrivilegeLevel | Some devices allow unprivileged user creation—adjust based on role risk |
| RemoteSessionFlag | Creation via Telnet, SSH, or serial console affects detection priority |