sigmamediumHunting

Powershell LocalAccount Manipulation

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups

MITRE ATT&CK

T1098

privilege-escalationpersistence

Detection Query

selection:
  ScriptBlockText|contains:
    - Disable-LocalUser
    - Enable-LocalUser
    - Get-LocalUser
    - Set-LocalUser
    - New-LocalUser
    - Rename-LocalUser
    - Remove-LocalUser
condition: selection

Author

frack113

Created

2021-12-28

Data Sources

windowsps_script

Platforms

windows

References

Tags

attack.privilege-escalationattack.persistenceattack.t1098

Raw Content

title: Powershell LocalAccount Manipulation
id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c
status: test
description: |
    Adversaries may manipulate accounts to maintain access to victim systems.
    Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
author: frack113
date: 2021-12-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Disable-LocalUser'
            - 'Enable-LocalUser'
            - 'Get-LocalUser'
            - 'Set-LocalUser'
            - 'New-LocalUser'
            - 'Rename-LocalUser'
            - 'Remove-LocalUser'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium