title: Local Account Added Windows
description: Query below we'll query all instances of local accounts being created.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Persistence
   technique: T1136
   subtechnique: 001
operating_system: windows
query: SrcProcCmdLine In Contains Anycase ("net user /add","New-LocalUser")
  OR SrcProcCmdLine RegExp "\bdscl\b.*\b/\create\b" OR SrcProcCmdLine RegExp "\bnet
  localgroup administrators\b.*\b\/add\b"
false_positives: General account maintenance.
tags: null