title: Account Manipulation
description: Detect account manipulation with the PowerShell AD module, filtered by Parent Process, as some Logon Scripts and Configuration Items (SCOM, SCCM) may also cause noise.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
   tactic: Persistence
   technique: T1098
   subtechnique: 
operating_system: windows
query: ( SrcProcCmdLine In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
  OR SrcProcCmdScript In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser")
  OR SrcProcCmdLine RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" OR SrcProcCmdScript
  RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" ) AND SrcProcParentName Not In
  ("WmiPrvSE.exe","AppVClient.exe","svchost.exe","CompatTelRunner.exe")
false_positives: 
   - logon scripts
   - Configuration Manager CI/BL Items
tags:
references: