title: PowerShell Create Local User
author: '@ROxPinTeddy'
date: 2020/04/11
description: Detects creation of a local user via PowerShell
detection:
    SELECTION_1:
        ScriptBlockText: '*New-LocalUser*'
    condition: SELECTION_1
falsepositives:
- Legitimate user creation
id: 243de76f-4725-4f2e-8225-a8a69b15ad61
level: medium
logsource:
    category: ps_script
    definition: Script block logging must be enabled
    product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.persistence
- attack.t1136.001
- attack.t1136
yml_filename: powershell_create_local_user.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script