cscli scenarios install sigmahq/proc_creation_win_net_user_default_accounts_manipulation1type: trigger2name: sigmahq/proc_creation_win_net_user_default_accounts_manipulation3description: |4 Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\net.exe' || evt.Parsed.Image endsWith '\\net1.exe' || evt.Parsed.OriginalFileName in ['net.exe', 'net1.exe']) && evt.Parsed.CommandLine contains ' user ' && (evt.Parsed.CommandLine contains ' Järjestelmänvalvoja ' || evt.Parsed.CommandLine contains ' Rendszergazda ' || evt.Parsed.CommandLine contains ' Администратор ' || evt.Parsed.CommandLine contains ' Administrateur ' || evt.Parsed.CommandLine contains ' Administrador ' || evt.Parsed.CommandLine contains ' Administratör ' || evt.Parsed.CommandLine contains ' Administrator ' || evt.Parsed.CommandLine contains ' guest ' || evt.Parsed.CommandLine contains ' DefaultAccount ' || evt.Parsed.CommandLine contains ' "Järjestelmänvalvoja" ' || evt.Parsed.CommandLine contains ' "Rendszergazda" ' || evt.Parsed.CommandLine contains ' "Администратор" ' || evt.Parsed.CommandLine contains ' "Administrateur" ' || evt.Parsed.CommandLine contains ' "Administrador" ' || evt.Parsed.CommandLine contains ' "Administratör" ' || evt.Parsed.CommandLine contains ' "Administrator" ' || evt.Parsed.CommandLine contains ' "guest" ' || evt.Parsed.CommandLine contains ' "DefaultAccount" ' || evt.Parsed.CommandLine contains ' \'Järjestelmänvalvoja\' ' || evt.Parsed.CommandLine contains ' \'Rendszergazda\' ' || evt.Parsed.CommandLine contains ' \'Администратор\' ' || evt.Parsed.CommandLine contains ' \'Administrateur\' ' || evt.Parsed.CommandLine contains ' \'Administrador\' ' || evt.Parsed.CommandLine contains ' \'Administratör\' ' || evt.Parsed.CommandLine contains ' \'Administrator\' ' || evt.Parsed.CommandLine contains ' \'guest\' ' || evt.Parsed.CommandLine contains ' \'DefaultAccount\' ') && not (evt.Parsed.CommandLine contains 'guest' && evt.Parsed.CommandLine contains '/active no'))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t1560.0011516 label: "Suspicious Manipulation Of Default Accounts Via Net.EXE"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324